From: bert hubert <bert.hubert@netherlabs.nl>
Date: Sat, 28 Nov 2015 10:05:07 +0000 (+0100)
Subject: hook up ECDSA in git pdns_recursor build, not yet in separate tarball. Fix up CNAME... 
X-Git-Tag: dnsdist-1.0.0-alpha1~179
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=e2fec75a57b31466ba3ad1d0af934bfdda82fe22;p=pdns

hook up ECDSA in git pdns_recursor build, not yet in separate tarball. Fix up CNAME chains and resolving insecure domains with do=1
---

diff --git a/pdns/Makefile.am b/pdns/Makefile.am
index 14880cfd4..315e84a42 100644
--- a/pdns/Makefile.am
+++ b/pdns/Makefile.am
@@ -1158,6 +1158,12 @@ pdns_recursor_SOURCES += pkcs11signers.cc pkcs11signers.hh
 pdns_recursor_LDADD += $(P11KIT1_LIBS)
 endif
 
+if BOTAN110
+pdns_recursor_SOURCES += botan110signers.cc botansigners.cc
+pdns_recursor_LDADD += $(BOTAN110_LIBS)
+endif
+
+
 pdns_recursor_LDFLAGS = $(AM_LDFLAGS)
 
 if MALLOC_TRACE
diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc
index dc0ba748f..8346d5669 100644
--- a/pdns/pdns_recursor.cc
+++ b/pdns/pdns_recursor.cc
@@ -801,9 +801,14 @@ void startDoResolve(void *p)
       pw.getHeader()->rcode=res;
 
       if(edo.d_Z & EDNSOpts::DNSSECOK) {
-	if(validateRecords(ret))
+	auto state=validateRecords(ret);
+	if(state == Secure) {
 	  pw.getHeader()->ad=1;
-	else {
+	}
+	else if(state == Insecure) {
+	  pw.getHeader()->ad=0;
+	}
+	else if(state == Bogus && !pw.getHeader()->cd) {
 	  pw.getHeader()->rcode=RCode::ServFail;
 	  goto sendit;
 	}
diff --git a/pdns/validate-recursor.cc b/pdns/validate-recursor.cc
index 89fd1de85..df1b549d6 100644
--- a/pdns/validate-recursor.cc
+++ b/pdns/validate-recursor.cc
@@ -12,9 +12,8 @@ public:
     SyncRes sr(tv);
 
     vector<DNSRecord> ret;
-    int res;
     sr.d_doDNSSEC=true;
-    res=sr.beginResolve(qname, QType(qtype), 1, ret);
+    sr.beginResolve(qname, QType(qtype), 1, ret);
     d_queries += sr.d_outqueries;
     return ret;
   }
@@ -22,14 +21,14 @@ public:
 };
 
 
-bool validateRecords(const vector<DNSRecord>& recs)
+vState validateRecords(const vector<DNSRecord>& recs)
 {
   g_rootDS =  "19036 8 2 49aac11d7b6f6446702e54a1607371607a1a41855200fd2ce1cdde32f24e8fb5";
   cspmap_t cspmap=harvestCSPFromRecs(recs);
   //  cerr<<"Got "<<cspmap.size()<<" RRSETs: ";
   int numsigs=0;
   for(const auto& csp : cspmap) {
-    //    cerr<<" "<<csp.first.first<<'/'<<DNSRecordContent::NumberToType(csp.first.second)<<": "<<csp.second.signatures.size()<<" sigs for "<<csp.second.records.size()<<" records"<<endl;
+    //    cerr<<"Going to validate: "<<csp.first.first<<'/'<<DNSRecordContent::NumberToType(csp.first.second)<<": "<<csp.second.signatures.size()<<" sigs for "<<csp.second.records.size()<<" records"<<endl;
     numsigs+= csp.second.signatures.size();
   }
    
@@ -41,10 +40,8 @@ bool validateRecords(const vector<DNSRecord>& recs)
   if(numsigs) {
     for(const auto& csp : cspmap) {
       for(const auto& sig : csp.second.signatures) {
-	//	cerr<<"got rrsig "<<sig->d_signer<<"/"<<sig->d_tag<<endl;
 	vState state = getKeysFor(sro, sig->d_signer, keys);
 	//	cerr<<"! state = "<<vStates[state]<<", now have "<<keys.size()<<" keys"<<endl;
-        // dsmap.insert(make_pair(dsrc.d_tag, dsrc));
       }
     }
 
@@ -54,7 +51,9 @@ bool validateRecords(const vector<DNSRecord>& recs)
     //    cerr<<"no sigs, hoping for Insecure"<<endl;
     vState state = getKeysFor(sro, recs.begin()->d_name, keys); // um WHAT DOES THIS MEAN - try first qname??
     //    cerr<<"! state = "<<vStates[state]<<", now have "<<keys.size()<<" keys "<<endl;
+    return state;
   }
+  
   //  cerr<<"! validated "<<validrrsets.size()<<" RRsets out of "<<cspmap.size()<<endl;
 
   //  cerr<<"% validated RRs:"<<endl;
@@ -65,5 +64,7 @@ bool validateRecords(const vector<DNSRecord>& recs)
     }
   }
   //  cerr<<"Took "<<sro.d_queries<<" queries"<<endl;
-  return validrrsets.size() == cspmap.size();
+  if(validrrsets.size() == cspmap.size())
+    return Secure;
+  return Insecure;
 }
diff --git a/pdns/validate-recursor.hh b/pdns/validate-recursor.hh
index e3fd3999e..195206144 100644
--- a/pdns/validate-recursor.hh
+++ b/pdns/validate-recursor.hh
@@ -1,5 +1,6 @@
 #pragma once
 #include "dnsparser.hh"
 #include "namespaces.hh"
+#include "validate.hh"
 
-bool validateRecords(const vector<DNSRecord>& recs);
+vState validateRecords(const vector<DNSRecord>& recs);