From: Bert Hubert <bert.hubert@netherlabs.nl>
Date: Mon, 10 Jan 2011 11:14:58 +0000 (+0000)
Subject: no longer try to add NSEC/NSEC3 to unsigned zones
X-Git-Tag: auth-3.0~393
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=ed9c3a5013ef7656f0138fc28f51277ab30b0325;p=pdns

no longer try to add NSEC/NSEC3 to unsigned zones
also don't add DNSSEC material to unsigned zones during AXFR
quiet some logging about unsigned zones


git-svn-id: svn://svn.powerdns.com/pdns/trunk/pdns@1854 d19b8d6e-7fed-0310-83ef-9ca221ded41b
---

diff --git a/pdns/dnssecsigner.cc b/pdns/dnssecsigner.cc
index 719f9f561..5acc79a17 100644
--- a/pdns/dnssecsigner.cc
+++ b/pdns/dnssecsigner.cc
@@ -52,8 +52,8 @@ int getRRSIGsForRRSET(DNSSECKeeper& dk, const std::string signQName, uint16_t si
   rrc.d_tag = 0;
   
   // XXX we know the apex already.. is is the SOA name which we determined earlier
-  if(!getSignerApexFor(dk, signQName, rrc.d_signer)) {
-    cerr<<"No signer known for '"<<signQName<<"'\n";
+  if(!getSignerApexFor(dk, signQName, rrc.d_signer)) { // this is the cutout for signing non-dnssec enabled zones
+    // cerr<<"No signer known for '"<<signQName<<"'\n";
     return -1;
   }
   // we sign the RRSET in toSign + the rrc w/o key
@@ -101,7 +101,7 @@ void addSignature(DNSSECKeeper& dk, const std::string signQName, const std::stri
     return;
 
   if(getRRSIGsForRRSET(dk, wildcardname.empty() ? signQName : wildcardname, signQType, signTTL, toSign, rrcs, signQType == QType::DNSKEY) < 0) {
-    cerr<<"Error signing a record!"<<endl;
+    // cerr<<"Error signing a record!"<<endl;
     return;
   }
   BOOST_FOREACH(RRSIGRecordContent& rrc, rrcs) {
diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index 9b6a8cef8..145ddb8cb 100644
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -1008,7 +1008,7 @@ void PacketHandler::makeNXDomain(DNSPacket* p, DNSPacket* r, const std::string&
   rr.auth = 1;
   r->addRecord(rr);
   
-  if(p->d_dnssecOk) 
+  if(p->d_dnssecOk && d_dk.haveActiveKSKFor(sd.qname))
     addNSECX(p, r, target, sd.qname, 1);
   
   r->setRcode(RCode::NXDomain);  
@@ -1026,8 +1026,8 @@ void PacketHandler::makeNOError(DNSPacket* p, DNSPacket* r, const std::string& t
   rr.d_place=DNSResourceRecord::AUTHORITY;
   rr.auth = 1;
   r->addRecord(rr);
-  
-  if(p->d_dnssecOk)
+
+  if(p->d_dnssecOk && d_dk.haveActiveKSKFor(sd.qname))
     addNSECX(p, r, target, sd.qname, 0);
 
   S.ringAccount("noerror-queries",p->qdomain+"/"+p->qtype.getName());
diff --git a/pdns/tcpreceiver.cc b/pdns/tcpreceiver.cc
index e93ba7085..dd65209f4 100644
--- a/pdns/tcpreceiver.cc
+++ b/pdns/tcpreceiver.cc
@@ -503,7 +503,7 @@ int TCPNameserver::doAXFR(const string &target, shared_ptr<DNSPacket> q, int out
       continue; // skip SOA - would indicate end of AXFR
 
     if(rr.qtype.getCode() == QType::NS) {
-      cerr<<rr.qname<<" NS, auth="<<rr.auth<<endl;
+      // cerr<<rr.qname<<" NS, auth="<<rr.auth<<endl;
     }
 
     outpacket->addRecord(rr);
@@ -520,29 +520,29 @@ int TCPNameserver::doAXFR(const string &target, shared_ptr<DNSPacket> q, int out
     }
   }
 
-
-  for(nsecrepo_t::const_iterator iter = nsecrepo.begin(); iter != nsecrepo.end(); ++iter) {
-    cerr<<"Adding for '"<<iter->first<<"'\n";
-    NSECRecordContent nrc;
-    nrc.d_set = iter->second;
-    nrc.d_set.insert(QType::RRSIG);
-    nrc.d_set.insert(QType::NSEC);
-    if(boost::next(iter) != nsecrepo.end()) {
-      nrc.d_next = boost::next(iter)->first;
+  if(dk.haveActiveKSKFor(sd.qname)) {
+    for(nsecrepo_t::const_iterator iter = nsecrepo.begin(); iter != nsecrepo.end(); ++iter) {
+      cerr<<"Adding for '"<<iter->first<<"'\n";
+      NSECRecordContent nrc;
+      nrc.d_set = iter->second;
+      nrc.d_set.insert(QType::RRSIG);
+      nrc.d_set.insert(QType::NSEC);
+      if(boost::next(iter) != nsecrepo.end()) {
+        nrc.d_next = boost::next(iter)->first;
+      }
+      else
+        nrc.d_next=nsecrepo.begin()->first;
+  
+      rr.qname = iter->first;
+  
+      rr.ttl = 3600;
+      rr.content = nrc.getZoneRepresentation();
+      rr.qtype = QType::NSEC;
+      rr.d_place = DNSResourceRecord::ANSWER;
+      outpacket->addRecord(rr);
+      count++;
     }
-    else
-      nrc.d_next=nsecrepo.begin()->first;
-
-    rr.qname = iter->first;
-
-    rr.ttl = 3600;
-    rr.content = nrc.getZoneRepresentation();
-    rr.qtype = QType::NSEC;
-    rr.d_place = DNSResourceRecord::ANSWER;
-    outpacket->addRecord(rr);
-    count++;
   }
-
   
   if(count) {
     sendPacket(outpacket, outsock);