From: Bert Hubert Date: Sun, 2 Jan 2011 18:34:10 +0000 (+0000) Subject: move around a lot of stuff to isolate dnssec db connectivity X-Git-Tag: auth-3.0~457 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=f7bcc763e3580680fc5a7c9b0b439f2babc9cfc8;p=pdns move around a lot of stuff to isolate dnssec db connectivity fix up addDomainMetadata so it doesn't keep on adding add import-zone-key functionality to dbdnsseckeeper remove key-repository setting from loads of places git-svn-id: svn://svn.powerdns.com/pdns/trunk/pdns@1790 d19b8d6e-7fed-0310-83ef-9ca221ded41b --- diff --git a/pdns/Makefile.am b/pdns/Makefile.am index dcff67793..9ea1c14a9 100644 --- a/pdns/Makefile.am +++ b/pdns/Makefile.am @@ -44,7 +44,7 @@ rcpgenerator.cc dnsparser.cc dns_random.hh aes/aescpp.h \ aes/aescrypt.c aes/aes.h aes/aeskey.c aes/aes_modes.c aes/aesopt.h \ aes/aestab.c aes/aestab.h aes/brg_endian.h aes/brg_types.h aes/dns_random.cc \ randomhelper.cc namespaces.hh nsecrecords.cc base32.cc dbdnsseckeeper.cc dnssecinfra.cc \ -dnsseckeeper.hh dnssecinfra.hh base32.hh +dnsseckeeper.hh dnssecinfra.hh base32.hh dns.cc # pdns_server_LDFLAGS=@moduleobjects@ @modulelibs@ @DYNLINKFLAGS@ @LIBDL@ @THREADFLAGS@ $(BOOST_FILESYSTEM_LDFLAGS) $(BOOST_SYSTEM_LDFLAGS) -Lext/polarssl/library @@ -60,7 +60,7 @@ pdnssec_SOURCES=pdnssec.cc dbdnsseckeeper.cc sstuff.hh dnsparser.cc dnsparser.hh backends/bind/bindparser.cc backends/bind/bindlexer.c \ backends/gsql/gsqlbackend.cc \ backends/gsql/gsqlbackend.hh backends/gsql/ssql.hh zoneparser-tng.cc \ - dynlistener.cc + dynlistener.cc dns.cc pdnssec_LDFLAGS=@moduleobjects@ @modulelibs@ @DYNLINKFLAGS@ @LIBDL@ @THREADFLAGS@ -Lext/polarssl/library/ pdnssec_LDADD=$(BOOST_FILESYSTEM_LIBS) $(BOOST_SYSTEM_LIBS) -lpolarssl $(BOOST_PROGRAM_OPTIONS_LIBS) diff --git a/pdns/backends/gsql/gsqlbackend.cc b/pdns/backends/gsql/gsqlbackend.cc index b93ca008c..62fbaac38 100644 --- a/pdns/backends/gsql/gsqlbackend.cc +++ b/pdns/backends/gsql/gsqlbackend.cc @@ -19,6 +19,7 @@ using namespace std; #include #include #include +#include using namespace boost; void GSQLBackend::setNotified(uint32_t domain_id, uint32_t serial) @@ -247,6 +248,7 @@ GSQLBackend::GSQLBackend(const string &mode, const string &suffix) d_ListDomainKeysQuery = "select cryptokeys.id, flags, active, content from domains, cryptokeys where domain_id=domains.id and name='%s'"; d_GetDomainMetadataQuery = "select content from domains, domainmetadata where domain_id=domains.id and name='%s' and domainmetadata.kind='%s'"; + d_ClearDomainMetadataQuery = "delete from domainmetadata where domain_id=(select id from domains where name='%s') and domainmetadata.kind='%s'"; d_SetDomainMetadataQuery = "insert into domainmetadata (domain_id, kind, content) select id, '%s', '%s' from domains where name='%s'"; } @@ -378,15 +380,22 @@ bool GSQLBackend::getDomainMetadata(const string& name, const std::string& kind, bool GSQLBackend::setDomainMetadata(const string& name, const std::string& kind, const std::vector& meta) { char output[16384]; - snprintf(output,sizeof(output)-1,d_SetDomainMetadataQuery.c_str(), - sqlEscape(kind).c_str(), sqlEscape(*meta.begin()).c_str(), sqlEscape(name).c_str()); + + if(!meta.empty()) + snprintf(output,sizeof(output)-1,d_SetDomainMetadataQuery.c_str(), + sqlEscape(kind).c_str(), sqlEscape(*meta.begin()).c_str(), sqlEscape(name).c_str()); + + string clearQuery = (boost::format(d_ClearDomainMetadataQuery) % sqlEscape(name) % sqlEscape(kind)).str(); try { - d_db->doCommand(output); + d_db->doCommand(clearQuery); + if(!meta.empty()) + d_db->doCommand(output); } catch (SSqlException &e) { throw AhuException("GSQLBackend unable to store metadata key: "+e.txtReason()); } + return true; } diff --git a/pdns/backends/gsql/gsqlbackend.hh b/pdns/backends/gsql/gsqlbackend.hh index ee9e9aa89..dde766216 100644 --- a/pdns/backends/gsql/gsqlbackend.hh +++ b/pdns/backends/gsql/gsqlbackend.hh @@ -84,6 +84,7 @@ private: string d_AddDomainKeyQuery; string d_ListDomainKeysQuery; string d_GetDomainMetadataQuery; + string d_ClearDomainMetadataQuery; string d_SetDomainMetadataQuery; protected: bool d_dnssecQueries; diff --git a/pdns/common_startup.cc b/pdns/common_startup.cc index 6b99dc694..f8bffc4c4 100644 --- a/pdns/common_startup.cc +++ b/pdns/common_startup.cc @@ -99,7 +99,6 @@ void declareArguments() ::arg().set("webserver-address","IP Address of webserver to listen on")="127.0.0.1"; ::arg().set("webserver-port","Port of webserver to listen on")="8081"; ::arg().set("webserver-password","Password required for accessing the webserver")=""; - ::arg().set("key-repository", "Where DNSSEC keying material lives")="./keys"; ::arg().setSwitch("out-of-zone-additional-processing","Do out of zone additional processing")="yes"; ::arg().setSwitch("do-ipv6-additional-processing", "Do AAAA additional processing")="no"; diff --git a/pdns/dbdnsseckeeper.cc b/pdns/dbdnsseckeeper.cc index 6a8571c87..944e15f49 100644 --- a/pdns/dbdnsseckeeper.cc +++ b/pdns/dbdnsseckeeper.cc @@ -37,11 +37,15 @@ void DNSSECKeeper::addKey(const std::string& name, bool keyOrZone, int algorithm bits = keyOrZone ? 2048 : 1024; DNSSECPrivateKey dpk; dpk.d_key.create(bits); - + addKey(name, keyOrZone, dpk, active); +} + +void DNSSECKeeper::addKey(const std::string& name, bool keyOrZone, const DNSSECPrivateKey& dpk, bool active) +{ DNSBackend::KeyData kd; kd.flags = 256 + keyOrZone; kd.active = active; - kd.content = dpk.d_key.convertToISC(algorithm); + kd.content = dpk.d_key.convertToISC(5); // now store it UeberBackend db; @@ -79,8 +83,6 @@ DNSSECPrivateKey DNSSECKeeper::getKeyById(const std::string& zname, unsigned int return dpk; } throw runtime_error("Can't find a key with id "+lexical_cast(id)+" for zone '"+zname+"'"); - - } @@ -129,13 +131,12 @@ void DNSSECKeeper::setNSEC3PARAM(const std::string& zname, const NSEC3PARAMRecor meta.push_back(descr); UeberBackend db; db.setDomainMetadata(zname, "NSEC3PARAM", meta); - - // XXX do db } void DNSSECKeeper::unsetNSEC3PARAM(const std::string& zname) { - // XXX do db + UeberBackend db; + db.setDomainMetadata(zname, "NSEC3PARAM", vector()); } @@ -174,4 +175,129 @@ void DNSSECKeeper::secureZone(const std::string& name, int algorithm) addKey(name, true, algorithm); } +bool getSignerFor(const std::string& qname, std::string &signer) +{ + DNSSECKeeper dk; + + signer=qname; + do { + if(dk.haveActiveKSKFor(signer)) + return true; + } while(chopOff(signer)); + return false; +} + +DNSKEYRecordContent getDNSKEYFor(const std::string& qname, bool withKSK, RSAContext* rc) +{ + DNSSECKeeper dk; + cerr<<"Asked for a DNSKEY for '"< >& toSign, RRSIGRecordContent& rrc, bool ksk) +{ + if(toSign.empty()) + return -1; + + rrc.d_type=signQType; + + // d_algorithm gets filled out by fillOutRRSIG, since it gets the key + rrc.d_labels=countLabels(signQName); + rrc.d_originalttl=signTTL; + rrc.d_siginception=getCurrentInception();; + rrc.d_sigexpire = rrc.d_siginception + 14*86400; + + rrc.d_tag=0; + if(!getSignerFor(signQName, rrc.d_signer)) { + cerr<<"No signer known for '"< >& toSign, DNSPacketWriter& pw) +{ + // cerr<<"Asked to sign '"<, RRSIGRecordContent> g_rrsigs; + +void fillOutRRSIG(const std::string& signQName, RRSIGRecordContent& rrc, const std::string& hash, vector >& toSign, bool withKSK) +{ + RSAContext rc; + + DNSKEYRecordContent drc=getDNSKEYFor(rrc.d_signer, withKSK, &rc); + rrc.d_tag = drc.getTag(); + rrc.d_algorithm = drc.d_algorithm; + + if(g_rrsigs.count(make_pair(hash, rrc.d_tag))) { + // cerr<<"RRSIG cache hit !"< > outputs_t; + typedef vector > outputs_t; outputs_t outputs; push_back(outputs)("Modulus", &d_context.N)("PublicExponent",&d_context.E) ("PrivateExponent",&d_context.D) @@ -292,17 +292,6 @@ DNSKEYRecordContent makeDNSKEYFromRSAKey(const rsa_context* rc, uint8_t algorith return drc; } -bool getSignerFor(const std::string& keyRepositoryDir, const std::string& qname, std::string &signer) -{ - DNSSECKeeper dk(keyRepositoryDir); - - signer=qname; - do { - if(dk.haveActiveKSKFor(signer)) - return true; - } while(chopOff(signer)); - return false; -} int countLabels(const std::string& signQName) { @@ -318,70 +307,6 @@ int countLabels(const std::string& signQName) -DNSKEYRecordContent getDNSKEYFor(const std::string& keyRepositoryDir, const std::string& qname, bool withKSK, RSAContext* rc) -{ - DNSSECKeeper dk(keyRepositoryDir); - cerr<<"Asked for a DNSKEY for '"<, RRSIGRecordContent> g_rrsigs; - -void fillOutRRSIG(const std::string& keyrepodir, const std::string& signQName, RRSIGRecordContent& rrc, const std::string& hash, vector >& toSign, bool withKSK) -{ - RSAContext rc; - - DNSKEYRecordContent drc =getDNSKEYFor(keyrepodir, rrc.d_signer, withKSK, &rc); - rrc.d_tag = drc.getTag(); - rrc.d_algorithm = drc.d_algorithm; - - if(g_rrsigs.count(make_pair(hash, rrc.d_tag))) { - // cerr<<"RRSIG cache hit !"< >& toSign, RRSIGRecordContent& rrc, bool ksk) -{ - if(toSign.empty()) - return -1; - - rrc.d_type=signQType; - - // d_algorithm gets filled out by fillOutRRSIG, since it gets the key - rrc.d_labels=countLabels(signQName); - rrc.d_originalttl=signTTL; - rrc.d_siginception=getCurrentInception();; - rrc.d_sigexpire = rrc.d_siginception + 14*86400; - - rrc.d_tag=0; - if(!getSignerFor(keyrepodir, signQName, rrc.d_signer)) { - cerr<<"No signer known for '"< >& toSign, DNSPacketWriter& pw) -{ - // cerr<<"Asked to sign '"< >& toSign, bool withKSK=false); +void fillOutRRSIG(const std::string& signQName, RRSIGRecordContent& rrc, const std::string& hash, vector >& toSign, bool withKSK=false); uint32_t getCurrentInception(); -void addSignature(const std::string& keyrepodir, const std::string signQName, const std::string& wildcardname, uint16_t signQType, uint32_t signTTL, DNSPacketWriter::Place signPlace, vector >& toSign, DNSPacketWriter& pw); -int getRRSIGForRRSET(const std::string& keyrepodir, const std::string signQName, uint16_t signQType, uint32_t signTTL, +void addSignature(const std::string signQName, const std::string& wildcardname, uint16_t signQType, uint32_t signTTL, DNSPacketWriter::Place signPlace, vector >& toSign, DNSPacketWriter& pw); +int getRRSIGForRRSET(const std::string signQName, uint16_t signQType, uint32_t signTTL, vector >& toSign, RRSIGRecordContent &rrc, bool ksk); std::string hashQNameWithSalt(unsigned int times, const std::string& salt, const std::string& qname); diff --git a/pdns/dnsseckeeper.hh b/pdns/dnsseckeeper.hh index 5c491feb0..71120de97 100644 --- a/pdns/dnsseckeeper.hh +++ b/pdns/dnsseckeeper.hh @@ -67,7 +67,7 @@ public: void create(unsigned int bits); - std::string convertToISC(unsigned int algorithm); + std::string convertToISC(unsigned int algorithm) const; private: rsa_context d_context; @@ -101,13 +101,12 @@ public: typedef std::vector > keyset_t; public: - explicit DNSSECKeeper(const std::string& dirname) : d_dirname(dirname){} - bool haveActiveKSKFor(const std::string& zone, DNSSECPrivateKey* ksk=0); keyset_t getKeys(const std::string& zone, boost::tribool allOrKeyOrZone = boost::indeterminate); DNSSECPrivateKey getKeyById(const std::string& zone, unsigned int id); void addKey(const std::string& zname, bool keyOrZone, int algorithm=5, int bits=0, bool active=true); + void addKey(const std::string& zname, bool keyOrZone, const DNSSECPrivateKey& dpk, bool active=true); void removeKey(const std::string& zname, unsigned int id); void activateKey(const std::string& zname, unsigned int id); void deactivateKey(const std::string& zname, unsigned int id); @@ -117,9 +116,6 @@ public: bool getNSEC3PARAM(const std::string& zname, NSEC3PARAMRecordContent* n3p=0); void setNSEC3PARAM(const std::string& zname, const NSEC3PARAMRecordContent& n3p); void unsetNSEC3PARAM(const std::string& zname); - -private: - std::string d_dirname; }; #endif diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc index ef372d1ba..f69dd2942 100644 --- a/pdns/packethandler.cc +++ b/pdns/packethandler.cc @@ -204,8 +204,7 @@ int PacketHandler::doDNSKEYRequest(DNSPacket *p, DNSPacket *r) return false; DNSResourceRecord rr; - DNSSECKeeper dk(::arg()["key-repository"]); - + DNSSECKeeper dk; bool haveOne=false; DNSSECPrivateKey dpk; @@ -243,7 +242,7 @@ int PacketHandler::doNSEC3PARAMRequest(DNSPacket *p, DNSPacket *r) return false; DNSResourceRecord rr; - DNSSECKeeper dk(::arg()["key-repository"]); + DNSSECKeeper dk; NSEC3PARAMRecordContent ns3prc; if(dk.getNSEC3PARAM(p->qdomain, &ns3prc)) { @@ -534,7 +533,7 @@ void PacketHandler::emitNSEC3(const NSEC3PARAMRecordContent& ns3prc, const std:: */ void PacketHandler::addNSECX(DNSPacket *p, DNSPacket *r, const string& target, const string& auth, int mode) { - DNSSECKeeper dk(::arg()["key-repository"]); + DNSSECKeeper dk; NSEC3PARAMRecordContent ns3rc; cerr<<"Doing NSEC3PARAM lookup for '"<qdomain, iter.first, 3600, iter.second, rrc, ksk); + getRRSIGForRRSET(p->qdomain, iter.first, 3600, iter.second, rrc, ksk); rr.content=rrc.getZoneRepresentation(); r->addRecord(rr); if(iter.first != QType::DNSKEY) diff --git a/pdns/tcpreceiver.cc b/pdns/tcpreceiver.cc index eed2895de..462a1c6b9 100644 --- a/pdns/tcpreceiver.cc +++ b/pdns/tcpreceiver.cc @@ -461,7 +461,7 @@ int TCPNameserver::doAXFR(const string &target, shared_ptr q, int out nsecrepo_t nsecrepo; // this is where the DNSKEYs go - DNSSECKeeper dk(::arg()["key-repository"]); + DNSSECKeeper dk; DNSSECKeeper::keyset_t keys = dk.getKeys(target); BOOST_FOREACH(const DNSSECKeeper::keyset_t::value_type& value, keys) { rr.qname = target;