From: Bert Hubert <bert.hubert@netherlabs.nl>
Date: Mon, 3 Jan 2011 11:03:29 +0000 (+0000)
Subject: enable hybrid gsqlite3/bind operation where sqlite hosts keying material
X-Git-Tag: auth-3.0~451
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=e0d84497d7db9cc466c9d08a20906bf039e9f0f4;p=pdns

enable hybrid gsqlite3/bind operation where sqlite hosts keying material
no longer create 25 database connections per packet (or so)
add dirty hack to allow launch of bind backend, because the bind backend needs a dnsseckeeper and the dnsseckeeper.. needs a bind backend
removed a lot of logging


git-svn-id: svn://svn.powerdns.com/pdns/trunk/pdns@1796 d19b8d6e-7fed-0310-83ef-9ca221ded41b
---

diff --git a/pdns/dbdnsseckeeper.cc b/pdns/dbdnsseckeeper.cc
index d952b6441..41aece34a 100644
--- a/pdns/dbdnsseckeeper.cc
+++ b/pdns/dbdnsseckeeper.cc
@@ -19,7 +19,7 @@ namespace fs = boost::filesystem;
 using namespace std;
 using namespace boost;
 
-bool DNSSECKeeper::haveActiveKSKFor(const std::string& zone, DNSSECPrivateKey* dpk)
+bool DNSSECKeeper::haveActiveKSKFor(const std::string& zone, DNSSECPrivateKey* dpk) 
 {
   keyset_t keys = getKeys(zone, true);
   // need to get an *active* one!
@@ -48,8 +48,7 @@ void DNSSECKeeper::addKey(const std::string& name, bool keyOrZone, const DNSSECP
   kd.content = dpk.d_key.convertToISC(5);
  
  // now store it
-  UeberBackend db;
-  db.addDomainKey(name, kd);
+  d_db.addDomainKey(name, kd);
 }
 
 
@@ -61,9 +60,8 @@ static bool keyCompareByKindAndID(const DNSSECKeeper::keyset_t::value_type& a, c
 
 DNSSECPrivateKey DNSSECKeeper::getKeyById(const std::string& zname, unsigned int id)
 {  
-  UeberBackend db;
   vector<DNSBackend::KeyData> keys;
-  db.getDomainKeys(zname, 0, keys);
+  d_db.getDomainKeys(zname, 0, keys);
   BOOST_FOREACH(const DNSBackend::KeyData& kd, keys) {
     if(kd.id != id) 
       continue;
@@ -88,27 +86,24 @@ DNSSECPrivateKey DNSSECKeeper::getKeyById(const std::string& zname, unsigned int
 
 void DNSSECKeeper::removeKey(const std::string& zname, unsigned int id)
 {
-  UeberBackend db;
-  db.removeDomainKey(zname, id);
+  d_db.removeDomainKey(zname, id);
 }
 
 void DNSSECKeeper::deactivateKey(const std::string& zname, unsigned int id)
 {
-  UeberBackend db;
-  db.deactivateDomainKey(zname, id);
+  d_db.deactivateDomainKey(zname, id);
 }
 
 void DNSSECKeeper::activateKey(const std::string& zname, unsigned int id)
 {
-  UeberBackend db;
-  db.activateDomainKey(zname, id);
+  d_db.activateDomainKey(zname, id);
 }
 
 bool DNSSECKeeper::getNSEC3PARAM(const std::string& zname, NSEC3PARAMRecordContent* ns3p)
 {
-  UeberBackend db;
+  
   vector<string> meta;
-  db.getDomainMetadata(zname, "NSEC3PARAM", meta);
+  d_db.getDomainMetadata(zname, "NSEC3PARAM", meta);
   
   if(meta.empty())
     return false;
@@ -132,24 +127,21 @@ void DNSSECKeeper::setNSEC3PARAM(const std::string& zname, const NSEC3PARAMRecor
   string descr = ns3p.getZoneRepresentation();
   vector<string> meta;
   meta.push_back(descr);
-  UeberBackend db;
-  db.setDomainMetadata(zname, "NSEC3PARAM", meta);
+  d_db.setDomainMetadata(zname, "NSEC3PARAM", meta);
 }
 
 void DNSSECKeeper::unsetNSEC3PARAM(const std::string& zname)
 {
-  UeberBackend db;
-  db.setDomainMetadata(zname, "NSEC3PARAM", vector<string>());
+  d_db.setDomainMetadata(zname, "NSEC3PARAM", vector<string>());
 }
 
 
-DNSSECKeeper::keyset_t DNSSECKeeper::getKeys(const std::string& zone, boost::tribool allOrKeyOrZone)
+DNSSECKeeper::keyset_t DNSSECKeeper::getKeys(const std::string& zone, boost::tribool allOrKeyOrZone) 
 {
   keyset_t keyset;
-  UeberBackend db;
   vector<UeberBackend::KeyData> dbkeyset;
   
-  db.getDomainKeys(zone, 0, dbkeyset);
+  d_db.getDomainKeys(zone, 0, dbkeyset);
   // do db thing
   //cerr<<"Here: received " <<dbkeyset.size()<<" keys"<<endl;
   BOOST_FOREACH(UeberBackend::KeyData& kd, dbkeyset) 
@@ -178,10 +170,8 @@ void DNSSECKeeper::secureZone(const std::string& name, int algorithm)
   addKey(name, true, algorithm);
 }
  
-bool getSignerFor(const std::string& qname, std::string &signer)
+bool getSignerFor(DNSSECKeeper& dk, const std::string& qname, std::string &signer)
 {
-  DNSSECKeeper dk;
-
   signer=qname;
   do {
     if(dk.haveActiveKSKFor(signer)) 
@@ -190,17 +180,17 @@ bool getSignerFor(const std::string& qname, std::string &signer)
   return false;
 }
 
-DNSKEYRecordContent getDNSKEYFor(const std::string& qname, bool withKSK, RSAContext* rc)
+// this should be able to answer with multiple keys, in case of multiple active ZSKs XXX
+DNSKEYRecordContent getDNSKEYFor(DNSSECKeeper& dk, const std::string& qname, bool withKSK, RSAContext* rc)
 {
-  DNSSECKeeper dk;
-  cerr<<"Asked for a DNSKEY for '"<<qname<<"', withKSK="<<withKSK<<"\n";
+  // cerr<<"Asked for a DNSKEY for '"<<qname<<"', withKSK="<<withKSK<<"\n";
   DNSSECPrivateKey dpk;
 
   if(!withKSK) {
     DNSSECKeeper::keyset_t zskset=dk.getKeys(qname, false);
     BOOST_FOREACH(DNSSECKeeper::keyset_t::value_type value, zskset) {
       if(value.second.active) {
-        cerr<<"Found a ZSK for '"<<qname<<"', key tag = "<<value.first.getDNSKEY().getTag()<<endl;
+     //   cerr<<"Found a ZSK for '"<<qname<<"', key tag = "<<value.first.getDNSKEY().getTag()<<endl;
         *rc=value.first.d_key;
         return value.first.getDNSKEY();
       }
@@ -220,7 +210,7 @@ DNSKEYRecordContent getDNSKEYFor(const std::string& qname, bool withKSK, RSACont
   }
 }
 
-int getRRSIGForRRSET(const std::string signQName, uint16_t signQType, uint32_t signTTL, 
+int getRRSIGForRRSET(DNSSECKeeper& dk, const std::string signQName, uint16_t signQType, uint32_t signTTL, 
 		     vector<shared_ptr<DNSRecordContent> >& toSign, RRSIGRecordContent& rrc, bool ksk)
 {
   if(toSign.empty())
@@ -232,20 +222,20 @@ int getRRSIGForRRSET(const std::string signQName, uint16_t signQType, uint32_t s
   rrc.d_labels=countLabels(signQName); 
   rrc.d_originalttl=signTTL; 
   rrc.d_siginception=getCurrentInception();;
-  rrc.d_sigexpire = rrc.d_siginception + 14*86400;
+  rrc.d_sigexpire = rrc.d_siginception + 14*86400; // XXX should come from zone metadata
 
   rrc.d_tag=0;
-  if(!getSignerFor(signQName, rrc.d_signer)) {
+  if(!getSignerFor(dk, signQName, rrc.d_signer)) {
     cerr<<"No signer known for '"<<signQName<<"'\n";
     return -1;
   }
     
   string hash= getSHA1HashForRRSET(signQName,  rrc, toSign);
-  fillOutRRSIG(signQName, rrc, hash, toSign, ksk);
+  fillOutRRSIG(dk, signQName, rrc, hash, toSign, ksk);
   return 0;
 }
 
-void addSignature(const std::string signQName, const std::string& wildcardname, uint16_t signQType, uint32_t signTTL, DNSPacketWriter::Place signPlace, vector<shared_ptr<DNSRecordContent> >& toSign, DNSPacketWriter& pw)
+void addSignature(DNSSECKeeper& dk, const std::string signQName, const std::string& wildcardname, uint16_t signQType, uint32_t signTTL, DNSPacketWriter::Place signPlace, vector<shared_ptr<DNSRecordContent> >& toSign, DNSPacketWriter& pw)
 {
   // cerr<<"Asked to sign '"<<signQName<<"'|"<<DNSRecordContent::NumberToType(signQType)<<", "<<toSign.size()<<" records\n";
 
@@ -254,7 +244,7 @@ void addSignature(const std::string signQName, const std::string& wildcardname,
     return;
 
   for(int ksk = 0; ksk < 2; ++ksk) {
-    if(getRRSIGForRRSET(wildcardname.empty() ? signQName : wildcardname, signQType, signTTL, toSign, rrc, ksk) < 0) {
+    if(getRRSIGForRRSET(dk, wildcardname.empty() ? signQName : wildcardname, signQType, signTTL, toSign, rrc, ksk) < 0) {
       cerr<<"Error signing a record!"<<endl;
       return;
     }
@@ -275,11 +265,11 @@ pthread_mutex_t g_rrsigs_lock = PTHREAD_MUTEX_INITIALIZER;
 
 map<pair<string, uint16_t>, RRSIGRecordContent> g_rrsigs;
 
-void fillOutRRSIG(const std::string& signQName, RRSIGRecordContent& rrc, const std::string& hash, vector<shared_ptr<DNSRecordContent> >& toSign, bool withKSK) 
+void fillOutRRSIG(DNSSECKeeper& dk, const std::string& signQName, RRSIGRecordContent& rrc, const std::string& hash, vector<shared_ptr<DNSRecordContent> >& toSign, bool withKSK) 
 {
   RSAContext rc;
 
-  DNSKEYRecordContent drc=getDNSKEYFor(rrc.d_signer, withKSK, &rc);
+  DNSKEYRecordContent drc=getDNSKEYFor(dk, rrc.d_signer, withKSK, &rc);
   rrc.d_tag = drc.getTag();
   rrc.d_algorithm = drc.d_algorithm;
 
diff --git a/pdns/dnsbackend.cc b/pdns/dnsbackend.cc
index 9143d1b32..82acf3d29 100644
--- a/pdns/dnsbackend.cc
+++ b/pdns/dnsbackend.cc
@@ -163,7 +163,7 @@ int BackendMakerClass::numLauncheable()
   return d_instances.size();
 }
 
-vector<DNSBackend *>BackendMakerClass::all()
+vector<DNSBackend *>BackendMakerClass::all(bool skipBIND)
 {
   vector<DNSBackend *>ret;
   if(d_instances.empty())
@@ -171,6 +171,8 @@ vector<DNSBackend *>BackendMakerClass::all()
 
   try {
     for(vector<pair<string,string> >::const_iterator i=d_instances.begin();i!=d_instances.end();++i) {
+      if(skipBIND && i->first=="bind")
+        continue;
       DNSBackend *made=d_repository[i->first]->make(i->second);
       if(!made)
         throw AhuException("Unable to launch backend '"+i->first+"'");
diff --git a/pdns/dnsbackend.hh b/pdns/dnsbackend.hh
index 1c08fffd0..112223828 100644
--- a/pdns/dnsbackend.hh
+++ b/pdns/dnsbackend.hh
@@ -240,7 +240,7 @@ class BackendMakerClass
 public:
   void report(BackendFactory *bf);
   void launch(const string &instr);
-  vector<DNSBackend *>all();
+  vector<DNSBackend *>all(bool skipBIND=false);
   void load(const string &module);
   int numLauncheable();
   vector<string> getModules();
diff --git a/pdns/dnspacket.cc b/pdns/dnspacket.cc
index 4bd01b005..a166888ad 100644
--- a/pdns/dnspacket.cc
+++ b/pdns/dnspacket.cc
@@ -226,7 +226,7 @@ bool DNSPacket::couldBeCached()
 /** Must be called before attempting to access getData(). This function stuffs all resource
  *  records found in rrs into the data buffer. It also frees resource records queued for us.
  */
-void DNSPacket::wrapup(void)
+void DNSPacket::wrapup(DNSSECKeeper* dk)
 {
   if(d_wrapped) {
     return;
@@ -296,7 +296,7 @@ void DNSPacket::wrapup(void)
 
 	if(d_dnssecOk) {
 	  if(pos != d_rrs.begin() && (signQType != pos->qtype.getCode()  || signQName != pos->qname)) {
-	    addSignature(signQName, wildcardQName, signQType, signTTL, signPlace, toSign, pw);
+	    addSignature(*dk, signQName, wildcardQName, signQType, signTTL, signPlace, toSign, pw);
 	  }
 	  signQName= pos->qname;
 	  wildcardQName = pos->wildcardname;
@@ -326,7 +326,7 @@ void DNSPacket::wrapup(void)
       // I assume this is some dirty hack to prevent us from signing the last SOA record in an AXFR.. XXX FIXME
       if(d_dnssecOk && !(d_tcp && d_rrs.rbegin()->qtype.getCode() == QType::SOA && d_rrs.rbegin()->priority == 1234)) {
 	// cerr<<"Last signature.. "<<d_tcp<<", "<<d_rrs.rbegin()->priority<<", "<<d_rrs.rbegin()->qtype.getCode()<<", "<< d_rrs.size()<<endl;
-	addSignature(signQName, wildcardQName, signQType, signTTL, signPlace, toSign, pw);
+	addSignature(*dk, signQName, wildcardQName, signQType, signTTL, signPlace, toSign, pw);
       }
 
       if(!opts.empty() || d_dnssecOk)
diff --git a/pdns/dnspacket.hh b/pdns/dnspacket.hh
index c187e1f57..aca04b93a 100644
--- a/pdns/dnspacket.hh
+++ b/pdns/dnspacket.hh
@@ -66,9 +66,7 @@
 #endif // WIN32
 
 class DNSBackend;
-
-
-
+class DNSSECKeeper;
 
 //! This class represents DNS packets, either received or to be sent.
 class DNSPacket
@@ -120,7 +118,7 @@ public:
   void setQuestion(int op, const string &qdomain, int qtype);  // wipes 'd', sets a random id, creates start of packet (label, type, class etc)
 
   DTime d_dt; //!< the time this packet was created. replyPacket() copies this in for you, so d_dt becomes the time spent processing the question+answer
-  void wrapup(void);  // writes out queued rrs, and generates the binary packet. also shuffles. also rectifies dnsheader 'd', and copies it to the stringbuffer
+  void wrapup(DNSSECKeeper* dk=0);  // writes out queued rrs, and generates the binary packet. also shuffles. also rectifies dnsheader 'd', and copies it to the stringbuffer
   const char *getData(void); //!< get binary representation of packet, will call 'wrapup' for you
 
   const char *getRaw(void); //!< provides access to the raw packet, possibly on a packet that has never been 'wrapped'
diff --git a/pdns/dnssecinfra.cc b/pdns/dnssecinfra.cc
index 128710ab8..6b20626c5 100644
--- a/pdns/dnssecinfra.cc
+++ b/pdns/dnssecinfra.cc
@@ -18,12 +18,10 @@
 #include <boost/assign/std/vector.hpp> // for 'operator+=()'
 #include <boost/assign/list_inserter.hpp>
 
-
 using namespace boost;
 using namespace std;
 using namespace boost::assign;
 
-
 void RSAContext::create(unsigned int bits)
 {
   havege_state hs;
diff --git a/pdns/dnssecinfra.hh b/pdns/dnssecinfra.hh
index 4b0f12824..2f0eab297 100644
--- a/pdns/dnssecinfra.hh
+++ b/pdns/dnssecinfra.hh
@@ -31,16 +31,18 @@ string getSHA1HashForRRSET(const std::string& qname, const RRSIGRecordContent& r
 DNSKEYRecordContent makeDNSKEYFromRSAKey(const rsa_context* rc, uint8_t algorithm, uint16_t flags);
 DSRecordContent makeDSFromDNSKey(const std::string& qname, const DNSKEYRecordContent& drc, int digest=1);
 
-bool getSignerFor(const std::string& keyrepodir, const std::string& qname, std::string &signer);
+
 int countLabels(const std::string& signQName);
 
 class RSAContext;
+class DNSSECKeeper; 
 
-DNSKEYRecordContent getDNSKEYFor(const std::string& keyrepodir, const std::string& qname, bool withKSK, RSAContext* rc);
-void fillOutRRSIG(const std::string& signQName, RRSIGRecordContent& rrc, const std::string& hash, vector<shared_ptr<DNSRecordContent> >& toSign, bool withKSK=false);
+bool getSignerFor(DNSSECKeeper& dk, const std::string& keyrepodir, const std::string& qname, std::string &signer);
+DNSKEYRecordContent getDNSKEYFor(DNSSECKeeper& dk, const std::string& keyrepodir, const std::string& qname, bool withKSK, RSAContext* rc);
+void fillOutRRSIG(DNSSECKeeper& dk, const std::string& signQName, RRSIGRecordContent& rrc, const std::string& hash, vector<shared_ptr<DNSRecordContent> >& toSign, bool withKSK=false);
 uint32_t getCurrentInception();
-void addSignature(const std::string signQName, const std::string& wildcardname, uint16_t signQType, uint32_t signTTL, DNSPacketWriter::Place signPlace, vector<shared_ptr<DNSRecordContent> >& toSign, DNSPacketWriter& pw);
-int getRRSIGForRRSET(const std::string signQName, uint16_t signQType, uint32_t signTTL, 
+void addSignature(DNSSECKeeper& dk, const std::string signQName, const std::string& wildcardname, uint16_t signQType, uint32_t signTTL, DNSPacketWriter::Place signPlace, vector<shared_ptr<DNSRecordContent> >& toSign, DNSPacketWriter& pw);
+int getRRSIGForRRSET(DNSSECKeeper& dk, const std::string signQName, uint16_t signQType, uint32_t signTTL, 
 		     vector<shared_ptr<DNSRecordContent> >& toSign, RRSIGRecordContent &rrc, bool ksk);
 
 std::string hashQNameWithSalt(unsigned int times, const std::string& salt, const std::string& qname);
diff --git a/pdns/dnsseckeeper.hh b/pdns/dnsseckeeper.hh
index 71120de97..00ec87752 100644
--- a/pdns/dnsseckeeper.hh
+++ b/pdns/dnsseckeeper.hh
@@ -6,6 +6,7 @@
 #include <vector>
 #include <boost/logic/tribool.hpp>
 #include "dnsrecords.hh"
+#include "ueberbackend.hh"
 
 #define PDNSSEC_MI(x) mpi_init(&d_context.x, 0)
 #define PDNSSEC_MC(x) PDNSSEC_MI(x); mpi_copy(&d_context.x, const_cast<mpi*>(&orig.d_context.x))
@@ -99,8 +100,10 @@ public:
     string fname;
   }; 
   typedef std::vector<std::pair<DNSSECPrivateKey, KeyMetaData> > keyset_t;
-   
+private:
+  UeberBackend d_db;
 public:
+  DNSSECKeeper() : d_db("key-only"){}
   bool haveActiveKSKFor(const std::string& zone, DNSSECPrivateKey* ksk=0);
   
   keyset_t getKeys(const std::string& zone, boost::tribool allOrKeyOrZone = boost::indeterminate);
diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index f69dd2942..994b00cbf 100644
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -204,12 +204,10 @@ int PacketHandler::doDNSKEYRequest(DNSPacket *p, DNSPacket *r)
     return false;
     
   DNSResourceRecord rr;
-  DNSSECKeeper dk;
-
   bool haveOne=false;
   DNSSECPrivateKey dpk;
 
-  if(dk.haveActiveKSKFor(p->qdomain, &dpk)) {
+  if(d_dk.haveActiveKSKFor(p->qdomain, &dpk)) {
     rr.qtype=QType::DNSKEY;
     rr.ttl=3600;
     rr.qname=p->qdomain;
@@ -219,7 +217,7 @@ int PacketHandler::doDNSKEYRequest(DNSPacket *p, DNSPacket *r)
     haveOne=true;
   }
 
-  DNSSECKeeper::keyset_t zskset = dk.getKeys(p->qdomain, false);
+  DNSSECKeeper::keyset_t zskset = d_dk.getKeys(p->qdomain, false);
   BOOST_FOREACH(DNSSECKeeper::keyset_t::value_type value, zskset) {
     rr.qtype=QType::DNSKEY;
     rr.ttl=3600;
@@ -242,10 +240,9 @@ int PacketHandler::doNSEC3PARAMRequest(DNSPacket *p, DNSPacket *r)
     return false;
 
   DNSResourceRecord rr;
-  DNSSECKeeper dk;
 
   NSEC3PARAMRecordContent ns3prc;
-  if(dk.getNSEC3PARAM(p->qdomain, &ns3prc)) {
+  if(d_dk.getNSEC3PARAM(p->qdomain, &ns3prc)) {
     rr.qtype=QType::NSEC3PARAM;
     rr.ttl=3600;
     rr.qname=p->qdomain;
@@ -533,10 +530,9 @@ void PacketHandler::emitNSEC3(const NSEC3PARAMRecordContent& ns3prc, const std::
 */
 void PacketHandler::addNSECX(DNSPacket *p, DNSPacket *r, const string& target, const string& auth, int mode)
 {
-  DNSSECKeeper dk;
   NSEC3PARAMRecordContent ns3rc;
   cerr<<"Doing NSEC3PARAM lookup for '"<<auth<<"': ";
-  if(dk.getNSEC3PARAM(auth, &ns3rc))  {
+  if(d_dk.getNSEC3PARAM(auth, &ns3rc))  {
     cerr<<"Present"<<endl;
     addNSEC3(p, r, target, auth, ns3rc, mode);
   }
@@ -948,7 +944,7 @@ void PacketHandler::synthesiseRRSIGs(DNSPacket* p, DNSPacket* r)
   BOOST_FOREACH(records_t::value_type& iter, records) {
     RRSIGRecordContent rrc;
     for(int ksk =0 ; ksk < 2; ++ksk) {
-      getRRSIGForRRSET(p->qdomain, iter.first, 3600, iter.second, rrc, ksk);
+      getRRSIGForRRSET(d_dk, p->qdomain, iter.first, 3600, iter.second, rrc, ksk);
       rr.content=rrc.getZoneRepresentation();
       r->addRecord(rr);
       if(iter.first != QType::DNSKEY)
@@ -1280,7 +1276,7 @@ DNSPacket *PacketHandler::questionOrRecurse(DNSPacket *p, bool *shouldRecurse)
 
     //    doDNSSECProcessing(p, r);
 
-    r->wrapup(); // needed for inserting in cache
+    r->wrapup(&d_dk); // needed for inserting in cache
     if(!noCache) {
       PC.insert(p,r); // in the packet cache
     }
diff --git a/pdns/packethandler.hh b/pdns/packethandler.hh
index ff3824c92..8197ee855 100644
--- a/pdns/packethandler.hh
+++ b/pdns/packethandler.hh
@@ -1,6 +1,6 @@
 /*
     PowerDNS Versatile Database Driven Nameserver
-    Copyright (C) 2002  PowerDNS.COM BV
+    Copyright (C) 2002 - 2011  PowerDNS.COM BV
 
     This program is free software; you can redistribute it and/or modify
     it under the terms of the GNU General Public License version 2
@@ -28,6 +28,7 @@
 #include "ueberbackend.hh"
 #include "dnspacket.hh"
 #include "packetcache.hh"
+#include "dnsseckeeper.hh"
 
 using namespace std;
 
@@ -122,6 +123,7 @@ private:
   bool d_doIPv6AdditionalProcessing;
 
   UeberBackend B; // every thread an own instance
+  DNSSECKeeper d_dk; // same, might even share B?
 };
 
 #endif /* PACKETHANDLER */
diff --git a/pdns/ueberbackend.cc b/pdns/ueberbackend.cc
index 6ee151b4e..ca1491930 100644
--- a/pdns/ueberbackend.cc
+++ b/pdns/ueberbackend.cc
@@ -1,6 +1,6 @@
 /*
     PowerDNS Versatile Database Driven Nameserver
-    Copyright (C) 2005 - 2008  PowerDNS.COM BV
+    Copyright (C) 2005 - 2011  PowerDNS.COM BV
 
     This program is free software; you can redistribute it and/or modify
     it under the terms of the GNU General Public License version 2 as 
@@ -47,7 +47,6 @@ vector<UeberBackend *>UeberBackend::instances;
 pthread_mutex_t UeberBackend::instances_lock=PTHREAD_MUTEX_INITIALIZER;
 
 sem_t UeberBackend::d_dynserialize;
-string UeberBackend::programname;
 string UeberBackend::s_status;
 
 // initially we are blocked
@@ -223,7 +222,6 @@ bool UeberBackend::getSOA(const string &domain, SOAData &sd, DNSPacket *p)
     }
   }
     
-
   for(vector<DNSBackend *>::const_iterator i=backends.begin();i!=backends.end();++i)
     if((*i)->getSOA(domain, sd, p)) {
       DNSResourceRecord rr;
@@ -256,7 +254,6 @@ void UeberBackend::setStatus(const string &st)
 
 UeberBackend::UeberBackend(const string &pname)
 {
-//  programname=pname;
   pthread_mutex_lock(&instances_lock);
   instances.push_back(this); // report to the static list of ourself
   pthread_mutex_unlock(&instances_lock);
@@ -264,7 +261,7 @@ UeberBackend::UeberBackend(const string &pname)
   tid=pthread_self(); 
   stale=false;
 
-  backends=BackendMakers().all();
+  backends=BackendMakers().all(pname=="key-only");
 }
 
 void UeberBackend::die()
diff --git a/pdns/ueberbackend.hh b/pdns/ueberbackend.hh
index 24b1c45a8..f6cc632f9 100644
--- a/pdns/ueberbackend.hh
+++ b/pdns/ueberbackend.hh
@@ -160,7 +160,7 @@ private:
   static int s_s;
   static string s_status; 
   int d_ancount;
-  static string programname;
+  
   bool stale;
 };