From 189f9579a003620d5b77ae542464bd77b9fdbb34 Mon Sep 17 00:00:00 2001 From: bert hubert Date: Wed, 6 Jan 2016 21:32:31 +0100 Subject: [PATCH] implement TSIG for IXFR slaving, make ixplore use that infrastructure. Todo: hook it up in recursor --- pdns/ixfr.cc | 22 ++++++++++++++++++---- pdns/ixfr.hh | 3 ++- pdns/ixplore.cc | 34 ++++++++++++++++++++++++++++------ 3 files changed, 48 insertions(+), 11 deletions(-) diff --git a/pdns/ixfr.cc b/pdns/ixfr.cc index f1eb0b8d8..ca31143ce 100644 --- a/pdns/ixfr.cc +++ b/pdns/ixfr.cc @@ -2,9 +2,9 @@ #include "sstuff.hh" #include "dns_random.hh" #include "dnsrecords.hh" +#include "dnssecinfra.hh" - -vector, vector > > getIXFRDeltas(const ComboAddress& master, const DNSName& zone, const DNSRecord& oursr) +vector, vector > > getIXFRDeltas(const ComboAddress& master, const DNSName& zone, const DNSRecord& oursr, const DNSName& tsigalgo, const DNSName& tsigname, const std::string& tsigsecret) { vector, vector > > ret; vector packet; @@ -12,10 +12,19 @@ vector, vector > > getIXFRDeltas(const Combo pw.getHeader()->qr=0; pw.getHeader()->rd=0; pw.getHeader()->id=dns_random(0xffff); - pw.startRecord(zone, QType::SOA, 3600, QClass::IN, DNSResourceRecord::AUTHORITY); + pw.startRecord(zone, QType::SOA, 0, QClass::IN, DNSResourceRecord::AUTHORITY); oursr.d_content->toPacket(pw); + pw.commit(); - + if(!tsigalgo.empty()) { + TSIGRecordContent trc; + trc.d_algoName = tsigalgo; + trc.d_time = time((time_t*)NULL); + trc.d_fudge = 300; + trc.d_origID=ntohs(pw.getHeader()->id); + trc.d_eRcode=0; + addTSIG(pw, &trc, tsigname, tsigsecret, "", false); + } uint16_t len=htons(packet.size()); string msg((const char*)&len, 2); msg.append((const char*)&packet[0], packet.size()); @@ -45,8 +54,13 @@ vector, vector > > getIXFRDeltas(const Combo char reply[len]; readn2(s.getHandle(), reply, len); MOADNSParser mdp(string(reply, len)); + if(mdp.d_header.rcode) + throw std::runtime_error("Got an error trying to IXFR zone '"+zone.toString()+"' from master '"+master.toStringWithPort()+"': "+RCode::to_s(mdp.d_header.rcode)); + // cout<<"Got a response, rcode: "<getZoneRepresentation()<, vector > > getIXFRDeltas(const ComboAddress& master, const DNSName& zone, const DNSRecord& sr); +vector, vector > > getIXFRDeltas(const ComboAddress& master, const DNSName& zone, const DNSRecord& sr, + const DNSName& tsigalgo=DNSName(), const DNSName& tsigname=DNSName(), const std::string& tsigsecret=""); diff --git a/pdns/ixplore.cc b/pdns/ixplore.cc index 3a21d6b02..4e77c22de 100644 --- a/pdns/ixplore.cc +++ b/pdns/ixplore.cc @@ -25,7 +25,6 @@ using namespace boost::multi_index; StatBag S; - ArgvMap &arg() { static ArgvMap theArg; @@ -57,10 +56,19 @@ typedef multi_index_container< > >records_t; -uint32_t getSerialFromMaster(const ComboAddress& master, const DNSName& zone, shared_ptr& sr) +uint32_t getSerialFromMaster(const ComboAddress& master, const DNSName& zone, shared_ptr& sr, const DNSName& tsigalgo=DNSName(), const DNSName& tsigname=DNSName(), const std::string& tsigsecret="") { vector packet; DNSPacketWriter pw(packet, zone, QType::SOA); + if(!tsigalgo.empty()) { + TSIGRecordContent trc; + trc.d_algoName = tsigalgo; + trc.d_time = time((time_t*)NULL); + trc.d_fudge = 300; + trc.d_origID=ntohs(pw.getHeader()->id); + trc.d_eRcode=0; + addTSIG(pw, &trc, tsigname, tsigsecret, "", false); + } Socket s(master.sin4.sin_family, SOCK_DGRAM); s.connect(master); @@ -175,11 +183,10 @@ try string command; if(argc < 5 || (command=argv[1], (command!="diff" && command !="track"))) { cerr<<"Syntax: ixplore diff zone file1 file2"< 6) + tsigkey=DNSName(toLower(argv[6])); + if(argc > 7) + tsigalgo=DNSName(toLower(argv[7])); + string tsigsecret; + if(argc > 8) { + if(B64Decode(argv[8], tsigsecret) < 0) { + cerr<<"Could not decode tsig secret!"< sr; - uint32_t serial = getSerialFromMaster(master, zone, sr); + uint32_t serial = getSerialFromMaster(master, zone, sr, tsigalgo, tsigkey, tsigsecret); if(ourSerial == serial) { cout<<"still up to date, their serial is "<d_st.refresh<<" seconds"<d_st.refresh); @@ -274,7 +296,7 @@ try } cout<<"got new serial: "<