From 28e2e78e1cacb72d3caa9424f9569a5804327c68 Mon Sep 17 00:00:00 2001
From: Kees Monshouwer <mind04@monshouwer.org>
Date: Mon, 27 Jul 2015 22:28:38 +0200
Subject: [PATCH] use NSEC3PARAMRecordContent for hashQNameWithSalt()

---
 modules/bindbackend/bindbackend2.cc         |  4 ++--
 modules/remotebackend/remotebackend.cc      |  6 +++---
 modules/remotebackend/remotebackend.hh      |  2 +-
 modules/remotebackend/test-remotebackend.cc |  5 ++++-
 pdns/backends/gsql/gsqlbackend.cc           |  6 +++---
 pdns/backends/gsql/gsqlbackend.hh           |  2 +-
 pdns/dnsbackend.hh                          |  3 ++-
 pdns/dnssecinfra.cc                         | 19 +++++++++----------
 pdns/dnssecinfra.hh                         |  2 +-
 pdns/nsec3dig.cc                            |  5 ++++-
 pdns/packethandler.cc                       |  8 ++++----
 pdns/pdnssec.cc                             |  6 +++---
 pdns/rfc2136handler.cc                      | 14 +++++++-------
 pdns/saxfr.cc                               |  2 +-
 pdns/slavecommunicator.cc                   |  6 +++---
 pdns/tcpreceiver.cc                         |  6 +++---
 16 files changed, 51 insertions(+), 45 deletions(-)

diff --git a/modules/bindbackend/bindbackend2.cc b/modules/bindbackend/bindbackend2.cc
index 50c83feb9..f23c239ca 100644
--- a/modules/bindbackend/bindbackend2.cc
+++ b/modules/bindbackend/bindbackend2.cc
@@ -446,7 +446,7 @@ void Bind2Backend::parseZoneFile(BB2DomainInfo *bbd)
 
     if(nsec3zone) {
       if(rr.qtype.getCode() != QType::NSEC3 && rr.qtype.getCode() != QType::RRSIG)
-        hashed=toBase32Hex(hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, rr.qname));
+        hashed=toBase32Hex(hashQNameWithSalt(ns3pr, rr.qname));
       else
         hashed="";
     }
@@ -724,7 +724,7 @@ void Bind2Backend::doEmptyNonTerminals(BB2DomainInfo& bbd, bool nsec3zone, NSEC3
   {
     rr.qname=nt.first+bbd.d_name;
     if(nsec3zone)
-      hashed=toBase32Hex(hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, rr.qname.toString()));
+      hashed=toBase32Hex(hashQNameWithSalt(ns3pr, rr.qname.toString()));
     insertRecord(bbd, rr.qname, rr.qtype, rr.content, rr.ttl, hashed, &nt.second);
   }
 }
diff --git a/modules/remotebackend/remotebackend.cc b/modules/remotebackend/remotebackend.cc
index e00648092..2bdb71c4c 100644
--- a/modules/remotebackend/remotebackend.cc
+++ b/modules/remotebackend/remotebackend.cc
@@ -827,7 +827,7 @@ bool RemoteBackend::feedEnts(int domain_id, map<DNSName,bool>& nonterm) {
    return true; 
 }
 
-bool RemoteBackend::feedEnts3(int domain_id, const DNSName& domain, map<DNSName,bool>& nonterm, unsigned int times, const string &salt, bool narrow) {
+bool RemoteBackend::feedEnts3(int domain_id, const DNSName& domain, map<DNSName,bool>& nonterm, const NSEC3PARAMRecordContent& ns3prc, bool narrow) {
    rapidjson::Document query,answer;
    rapidjson::Value parameters;
    rapidjson::Value nts;
@@ -836,8 +836,8 @@ bool RemoteBackend::feedEnts3(int domain_id, const DNSName& domain, map<DNSName,
    parameters.SetObject();
    JSON_ADD_MEMBER(parameters, "domain_id", domain_id, query.GetAllocator());
    JSON_ADD_MEMBER_DNSNAME(parameters, "domain", domain, query.GetAllocator());
-   JSON_ADD_MEMBER(parameters, "times", times, query.GetAllocator());
-   JSON_ADD_MEMBER(parameters, "salt", salt.c_str(), query.GetAllocator());
+   JSON_ADD_MEMBER(parameters, "times", ns3prc.d_iterations, query.GetAllocator());
+   JSON_ADD_MEMBER(parameters, "salt", ns3prc.d_salt.c_str(), query.GetAllocator());
    JSON_ADD_MEMBER(parameters, "narrow", narrow, query.GetAllocator());
    JSON_ADD_MEMBER(parameters, "trxid", d_trxid, query.GetAllocator());
 
diff --git a/modules/remotebackend/remotebackend.hh b/modules/remotebackend/remotebackend.hh
index 6854fb2b0..89b8ee0c9 100644
--- a/modules/remotebackend/remotebackend.hh
+++ b/modules/remotebackend/remotebackend.hh
@@ -156,7 +156,7 @@ class RemoteBackend : public DNSBackend
   virtual bool replaceRRSet(uint32_t domain_id, const DNSName& qname, const QType& qt, const vector<DNSResourceRecord>& rrset);
   virtual bool feedRecord(const DNSResourceRecord &r, string *ordername);
   virtual bool feedEnts(int domain_id, map<DNSName,bool>& nonterm);
-  virtual bool feedEnts3(int domain_id, const DNSName& domain, map<DNSName,bool>& nonterm, unsigned int times, const string &salt, bool narrow);
+  virtual bool feedEnts3(int domain_id, const DNSName& domain, map<DNSName,bool>& nonterm, const NSEC3PARAMRecordContent& ns3prc, bool narrow);
   virtual bool startTransaction(const DNSName& domain, int domain_id);
   virtual bool commitTransaction();
   virtual bool abortTransaction();
diff --git a/modules/remotebackend/test-remotebackend.cc b/modules/remotebackend/test-remotebackend.cc
index cac2c7e02..83074e0ac 100644
--- a/modules/remotebackend/test-remotebackend.cc
+++ b/modules/remotebackend/test-remotebackend.cc
@@ -277,8 +277,11 @@ BOOST_AUTO_TEST_CASE(test_method_feedEnts) {
 BOOST_AUTO_TEST_CASE(test_method_feedEnts3) {
    BOOST_TEST_MESSAGE("Testing feedEnts3 method");
    be->startTransaction(DNSName("example.com"),2);
+   NSEC3PARAMRecordContent ns3prc;
+   ns3prc.d_iterations=1;
+   ns3prc.d_salt="\u00aa\u00bb\u00cc\u00dd";
    map<DNSName, bool> nonterm = boost::assign::map_list_of(DNSName("_udp"), true)(DNSName("_sip._udp"), true);
-   BOOST_CHECK(be->feedEnts3(2, DNSName("example.com"), nonterm, 1, "\u00aa\u00bb\u00cc\u00dd", 0));
+   BOOST_CHECK(be->feedEnts3(2, DNSName("example.com"), nonterm, ns3prc, 0));
    be->commitTransaction();
 }
 
diff --git a/pdns/backends/gsql/gsqlbackend.cc b/pdns/backends/gsql/gsqlbackend.cc
index 0e9a43fac..dcca15107 100644
--- a/pdns/backends/gsql/gsqlbackend.cc
+++ b/pdns/backends/gsql/gsqlbackend.cc
@@ -1295,7 +1295,7 @@ bool GSQLBackend::feedEnts(int domain_id, map<DNSName,bool>& nonterm)
   return true;
 }
 
-bool GSQLBackend::feedEnts3(int domain_id, const DNSName &domain, map<DNSName,bool> &nonterm, unsigned int times, const string &salt, bool narrow)
+bool GSQLBackend::feedEnts3(int domain_id, const DNSName &domain, map<DNSName,bool> &nonterm, const NSEC3PARAMRecordContent& ns3prc, bool narrow)
 {
   if(!d_dnssecQueries)
       return false;
@@ -1313,11 +1313,11 @@ bool GSQLBackend::feedEnts3(int domain_id, const DNSName &domain, map<DNSName,bo
           execute()->
           reset();
       } else {
-        ordername=toBase32Hex(hashQNameWithSalt(times, salt, nt.first));
+        ordername=toBase32Hex(hashQNameWithSalt(ns3prc, nt.first));
         d_InsertEntOrderQuery_stmt->
           bind("domain_id",domain_id)->
           bind("qname", nt.first)->
-          bind("ordername",toLower(ordername))->
+          bind("ordername",ordername)->
           bind("auth",nt.second)->
           execute()->
           reset();
diff --git a/pdns/backends/gsql/gsqlbackend.hh b/pdns/backends/gsql/gsqlbackend.hh
index 810185ed7..49dd3baea 100644
--- a/pdns/backends/gsql/gsqlbackend.hh
+++ b/pdns/backends/gsql/gsqlbackend.hh
@@ -171,7 +171,7 @@ public:
   bool abortTransaction();
   bool feedRecord(const DNSResourceRecord &r, string *ordername=0);
   bool feedEnts(int domain_id, map<DNSName,bool>& nonterm);
-  bool feedEnts3(int domain_id, const DNSName &domain, map<DNSName,bool> &nonterm, unsigned int times, const string &salt, bool narrow);
+  bool feedEnts3(int domain_id, const DNSName &domain, map<DNSName,bool> &nonterm, const NSEC3PARAMRecordContent& ns3prc, bool narrow);
   bool createDomain(const DNSName &domain);
   bool createSlaveDomain(const string &ip, const DNSName &domain, const string &nameserver, const string &account);
   bool deleteDomain(const DNSName &domain);
diff --git a/pdns/dnsbackend.hh b/pdns/dnsbackend.hh
index 13f8fac36..51b4f814f 100644
--- a/pdns/dnsbackend.hh
+++ b/pdns/dnsbackend.hh
@@ -41,6 +41,7 @@ class DNSPacket;
 #include "namespaces.hh"
 #include "comment.hh"
 #include "dnsname.hh"
+#include "dnsrecords.hh"
 
 class DNSBackend;  
 struct DomainInfo
@@ -274,7 +275,7 @@ public:
   {
     return false;
   }
-  virtual bool feedEnts3(int domain_id, const DNSName &domain, map<DNSName,bool> &nonterm, unsigned int times, const string &salt, bool narrow)
+  virtual bool feedEnts3(int domain_id, const DNSName &domain, map<DNSName,bool> &nonterm, const NSEC3PARAMRecordContent& ns3prc, bool narrow)
   {
     return false;
   }
diff --git a/pdns/dnssecinfra.cc b/pdns/dnssecinfra.cc
index 3a01ad05e..cf7abc7f3 100644
--- a/pdns/dnssecinfra.cc
+++ b/pdns/dnssecinfra.cc
@@ -379,23 +379,22 @@ uint32_t getStartOfWeek()
   return now;
 }
 
-std::string hashQNameWithSalt(unsigned int times, const std::string& salt, const DNSName& qname)
+string hashQNameWithSalt(const NSEC3PARAMRecordContent& ns3prc, const DNSName& qname)
 {
-  string toHash;
-  toHash.assign(qname.toDNSString());
-  toHash.append(salt);
-
-//  cerr<<makeHexDump(toHash)<<endl;
+  unsigned int times = ns3prc.d_iterations;
   unsigned char hash[20];
+  string toHash(qname.toDNSString());
+
   for(;;) {
+    toHash.append(ns3prc.d_salt);
     sha1((unsigned char*)toHash.c_str(), toHash.length(), hash);
-    if(!times--) 
-      break;
     toHash.assign((char*)hash, sizeof(hash));
-    toHash.append(salt);
+    if(!times--)
+      break;
   }
-  return string((char*)hash, sizeof(hash));
+  return toHash;
 }
+
 DNSKEYRecordContent DNSSECPrivateKey::getDNSKEY() const
 {
   return makeDNSKEYFromDNSCryptoKeyEngine(getKey(), d_algorithm, d_flags);
diff --git a/pdns/dnssecinfra.hh b/pdns/dnssecinfra.hh
index 5804c2db1..6aa726318 100644
--- a/pdns/dnssecinfra.hh
+++ b/pdns/dnssecinfra.hh
@@ -124,7 +124,7 @@ void addSignature(DNSSECKeeper& dk, UeberBackend& db, const DNSName& signer, con
 int getRRSIGsForRRSET(DNSSECKeeper& dk, const DNSName& signer, const DNSName signQName, uint16_t signQType, uint32_t signTTL,
   vector<shared_ptr<DNSRecordContent> >& toSign, vector<RRSIGRecordContent> &rrc);
 
-std::string hashQNameWithSalt(unsigned int times, const std::string& salt, const DNSName& qname);
+string hashQNameWithSalt(const NSEC3PARAMRecordContent& ns3prc, const DNSName& qname);
 void decodeDERIntegerSequence(const std::string& input, vector<string>& output);
 class DNSPacket;
 void addRRSigs(DNSSECKeeper& dk, UeberBackend& db, const std::set<DNSName>& authMap, vector<DNSResourceRecord>& rrs);
diff --git a/pdns/nsec3dig.cc b/pdns/nsec3dig.cc
index 44bf4e525..2f141a0ce 100644
--- a/pdns/nsec3dig.cc
+++ b/pdns/nsec3dig.cc
@@ -18,7 +18,10 @@ typedef set<nsec3> nsec3set;
 
 string nsec3Hash(const DNSName &qname, const string &salt, unsigned int iters)
 {
-  return toBase32Hex(hashQNameWithSalt(iters, salt, qname));
+  NSEC3PARAMRecordContent ns3prc;
+  ns3prc.d_iterations = iters;
+  ns3prc.d_salt = salt;
+  return toBase32Hex(hashQNameWithSalt(ns3prc, qname));
 }
 
 void proveOrDeny(const nsec3set &nsec3s, const DNSName &qname, const string &salt, unsigned int iters, set<DNSName> &proven, set<DNSName> &denied)
diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index 8ed7779cb..a08ef33e6 100644
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -556,7 +556,7 @@ void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const DNSName& target,
   // add matching NSEC3 RR
   if (mode != 3) {
     unhashed=(mode == 0 || mode == 1 || mode == 5) ? target : closest;
-    hashed=hashQNameWithSalt(ns3rc.d_iterations, ns3rc.d_salt, unhashed);
+    hashed=hashQNameWithSalt(ns3rc, unhashed);
     DLOG(L<<"1 hash: "<<toBase32Hex(hashed)<<" "<<unhashed<<endl);
 
     // if(!B.getDirectNSECx(sd.domain_id, hashed, QType(QType::NSEC3), before, rr))
@@ -577,7 +577,7 @@ void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const DNSName& target,
       }
       doNextcloser = true;
       unhashed=closest;
-      hashed=hashQNameWithSalt(ns3rc.d_iterations, ns3rc.d_salt, unhashed);
+      hashed=hashQNameWithSalt(ns3rc, unhashed);
       DLOG(L<<"1 hash: "<<toBase32Hex(hashed)<<" "<<unhashed<<endl);
 
       // if(!B.getDirectNSECx(sd.domain_id, hashed, QType(QType::NSEC3), before, rr))
@@ -599,7 +599,7 @@ void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const DNSName& target,
     }
     while( next.chopOff() && !pdns_iequals(next, closest));
 
-    hashed=hashQNameWithSalt(ns3rc.d_iterations, ns3rc.d_salt, unhashed);
+    hashed=hashQNameWithSalt(ns3rc, unhashed);
     DLOG(L<<"2 hash: "<<toBase32Hex(hashed)<<" "<<unhashed<<endl);
     // if(!B.getDirectNSECx(sd.domain_id, hashed, QType(QType::NSEC3), before, rr)) {
       getNSEC3Hashes(narrow, sd.db,sd.domain_id,  hashed, true, unhashed, before, after);
@@ -613,7 +613,7 @@ void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const DNSName& target,
   if (mode == 2 || mode == 4) {
     unhashed=DNSName("*")+closest;
 
-    hashed=hashQNameWithSalt(ns3rc.d_iterations, ns3rc.d_salt, unhashed);
+    hashed=hashQNameWithSalt(ns3rc, unhashed);
     DLOG(L<<"3 hash: "<<toBase32Hex(hashed)<<" "<<unhashed<<endl);
 
     // if(!B.getDirectNSECx(sd.domain_id, hashed, QType(QType::NSEC3), before, rr)) {
diff --git a/pdns/pdnssec.cc b/pdns/pdnssec.cc
index 120f787dc..b619701a4 100644
--- a/pdns/pdnssec.cc
+++ b/pdns/pdnssec.cc
@@ -257,7 +257,7 @@ bool rectifyZone(DNSSECKeeper& dk, const DNSName& zone)
     if(haveNSEC3) // NSEC3
     {
       if(!narrow && (realrr || !isOptOut || nonterm.find(qname)->second))
-        ordername=DNSName(toBase32Hex(hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, qname))) + zone;
+        ordername=DNSName(toBase32Hex(hashQNameWithSalt(ns3pr, qname))) + zone;
       else if(!realrr)
         auth=false;
     }
@@ -709,7 +709,7 @@ int increaseSerial(const DNSName& zone, DNSSECKeeper &dk)
     DNSName ordername;
     if(haveNSEC3) {
       if(!narrow)
-        ordername=DNSName(toBase32Hex(hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, zone))) + zone;
+        ordername=DNSName(toBase32Hex(hashQNameWithSalt(ns3pr, zone))) + zone;
     } else
       ordername=zone;
     if(g_verbose)
@@ -1731,7 +1731,7 @@ try
       cerr<<"The '"<<zone.toString()<<"' zone uses narrow NSEC3, but calculating hash anyhow"<<endl;
     }
       
-    cout<<toBase32Hex(hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, record))<<endl;
+    cout<<toBase32Hex(hashQNameWithSalt(ns3pr, record))<<endl;
   }
   else if(cmds[0]=="unset-nsec3") {
     if(cmds.size() < 2) {
diff --git a/pdns/rfc2136handler.cc b/pdns/rfc2136handler.cc
index 5fb06a916..48f073d91 100644
--- a/pdns/rfc2136handler.cc
+++ b/pdns/rfc2136handler.cc
@@ -147,7 +147,7 @@ uint PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *rr,
             ++ddepth;
         } while(shorter.chopOff());
 
-        DNSName ordername = DNSName(toBase32Hex(hashQNameWithSalt(ns3pr->d_iterations, ns3pr->d_salt, qname))) + di->zone;
+        DNSName ordername = DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, qname))) + di->zone;
         if (! *narrow && (ddepth == 0 || (ddepth == 1 && nssets.count(qname)))) {
           di->backend->updateDNSSECOrderNameAndAuth(di->id, di->zone, qname, ordername, (ddepth == 0 ));
 
@@ -241,7 +241,7 @@ uint PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *rr,
         if(*haveNSEC3) {
           DNSName ordername;
           if(! *narrow)
-            ordername=DNSName(toBase32Hex(hashQNameWithSalt(ns3pr->d_iterations, ns3pr->d_salt, rr->d_label)))+di->zone;
+            ordername=DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, rr->d_label)))+di->zone;
 
           if (*narrow)
             di->backend->updateDNSSECOrderNameAndAuth(di->id, di->zone, rr->d_label, DNSName(), auth);
@@ -308,7 +308,7 @@ uint PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *rr,
       {
         DNSName ordername;
         if(! *narrow)
-          ordername=DNSName(toBase32Hex(hashQNameWithSalt(ns3pr->d_iterations, ns3pr->d_salt, rr->d_label)))+di->zone;
+          ordername=DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, rr->d_label)))+di->zone;
 
         if (*narrow)
           di->backend->updateDNSSECOrderNameAndAuth(di->id, di->zone, rr->d_label, DNSName(), auth);
@@ -354,7 +354,7 @@ uint PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *rr,
           if(*haveNSEC3)  {
             DNSName ordername;
             if(! *narrow)
-              ordername=DNSName(toBase32Hex(hashQNameWithSalt(ns3pr->d_iterations, ns3pr->d_salt, *qname)))+di->zone;
+              ordername=DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, *qname)))+di->zone;
 
             if (*narrow)
               di->backend->updateDNSSECOrderNameAndAuth(di->id, di->zone, rr->d_label, DNSName(), auth); // FIXME400 no *qname here?
@@ -488,7 +488,7 @@ uint PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *rr,
           if(*haveNSEC3)  {
             DNSName ordername;
             if(! *narrow)
-              ordername=DNSName(toBase32Hex(hashQNameWithSalt(ns3pr->d_iterations, ns3pr->d_salt, changeRec)))+di->zone;
+              ordername=DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, changeRec)))+di->zone;
 
             di->backend->updateDNSSECOrderNameAndAuth(di->id, di->zone, changeRec, ordername, true);
           }
@@ -559,7 +559,7 @@ uint PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *rr,
       {
         DNSName ordername;
         if(! *narrow)
-          ordername=DNSName(toBase32Hex(hashQNameWithSalt(ns3pr->d_iterations, ns3pr->d_salt, i)))+di->zone;
+          ordername=DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, i)))+di->zone;
         di->backend->updateDNSSECOrderNameAndAuth(di->id, di->zone, i, ordername, true);
       }
     }
@@ -995,7 +995,7 @@ void PacketHandler::increaseSerial(const string &msgPrefix, const DomainInfo *di
   else if (haveNSEC3) {
     DNSName ordername;
     if (!narrow)
-      ordername = DNSName(toBase32Hex(hashQNameWithSalt(ns3pr->d_iterations, ns3pr->d_salt, newRec.qname)))+di->zone;
+      ordername = DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, newRec.qname)))+di->zone;
 
     di->backend->updateDNSSECOrderNameAndAuth(di->id, di->zone, newRec.qname, ordername, true);
   }
diff --git a/pdns/saxfr.cc b/pdns/saxfr.cc
index babf0cf60..c426098db 100644
--- a/pdns/saxfr.cc
+++ b/pdns/saxfr.cc
@@ -308,7 +308,7 @@ try
   {
     string hashed;
     for(const auto &label: labels) {
-      hashed=toBase32Hex(hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, label));
+      hashed=toBase32Hex(hashQNameWithSalt(ns3pr, label));
       hashes.insert(pair<string,DNSName>(hashed, label));
     }
   }
diff --git a/pdns/slavecommunicator.cc b/pdns/slavecommunicator.cc
index 879961e97..8de367f1c 100644
--- a/pdns/slavecommunicator.cc
+++ b/pdns/slavecommunicator.cc
@@ -327,7 +327,7 @@ void CommunicatorClass::suck(const DNSName &domain,const string &remote)
         bool auth;
         if (!rr.auth && rr.qtype.getCode() == QType::NS) {
           if (isNSEC3)
-            ordername=toBase32Hex(hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, rr.qname));
+            ordername=toBase32Hex(hashQNameWithSalt(ns3pr, rr.qname));
           auth=(!isNSEC3 || !optOutFlag || secured.count(ordername));
         } else
           auth=rr.auth;
@@ -354,7 +354,7 @@ void CommunicatorClass::suck(const DNSName &domain,const string &remote)
       if (isDnssecZone && rr.qtype.getCode() != QType::RRSIG) {
         if (isNSEC3) {
           // NSEC3
-          ordername=toBase32Hex(hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, rr.qname));
+          ordername=toBase32Hex(hashQNameWithSalt(ns3pr, rr.qname));
           if(!isNarrow && (rr.auth || (rr.qtype.getCode() == QType::NS && (!optOutFlag || secured.count(ordername))))) {
             di.backend->feedRecord(rr, &ordername);
           } else
@@ -374,7 +374,7 @@ void CommunicatorClass::suck(const DNSName &domain,const string &remote)
     // Insert empty non-terminals
     if(doent && !nonterm.empty()) {
       if (isNSEC3) {
-        di.backend->feedEnts3(domain_id, domain, nonterm, ns3pr.d_iterations, ns3pr.d_salt, isNarrow);
+        di.backend->feedEnts3(domain_id, domain, nonterm, ns3pr, isNarrow);
       } else
         di.backend->feedEnts(domain_id, nonterm);
     }
diff --git a/pdns/tcpreceiver.cc b/pdns/tcpreceiver.cc
index 5d25068b0..88b32a066 100644
--- a/pdns/tcpreceiver.cc
+++ b/pdns/tcpreceiver.cc
@@ -677,7 +677,7 @@ int TCPNameserver::doAXFR(const DNSName &target, shared_ptr<DNSPacket> q, int ou
   BOOST_FOREACH(const DNSSECKeeper::keyset_t::value_type& value, keys) {
     rr.qtype = QType(QType::DNSKEY);
     rr.content = value.first.getDNSKEY().getZoneRepresentation();
-    string keyname = NSEC3Zone ? hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, rr.qname) : labelReverse(rr.qname.toString());
+    string keyname = NSEC3Zone ? hashQNameWithSalt(ns3pr, rr.qname) : labelReverse(rr.qname.toString());
     NSECXEntry& ne = nsecxrepo[keyname];
     
     ne.d_set.insert(rr.qtype.getCode());
@@ -701,7 +701,7 @@ int TCPNameserver::doAXFR(const DNSName &target, shared_ptr<DNSPacket> q, int ou
     ns3pr.d_flags = 0;
     rr.content = ns3pr.getZoneRepresentation();
     ns3pr.d_flags = flags;
-    string keyname = hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, rr.qname);
+    string keyname = hashQNameWithSalt(ns3pr, rr.qname);
     NSECXEntry& ne = nsecxrepo[keyname];
     
     ne.d_set.insert(rr.qtype.getCode());
@@ -813,7 +813,7 @@ int TCPNameserver::doAXFR(const DNSName &target, shared_ptr<DNSPacket> q, int ou
     records++;
     if(securedZone && (rr.auth || rr.qtype.getCode() == QType::NS)) {
       if (NSEC3Zone || rr.qtype.getCode()) {
-        keyname = NSEC3Zone ? hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, rr.qname) : labelReverse(rr.qname.toString());
+        keyname = NSEC3Zone ? hashQNameWithSalt(ns3pr, rr.qname) : labelReverse(rr.qname.toString());
         NSECXEntry& ne = nsecxrepo[keyname];
         ne.d_ttl = sd.default_ttl;
         ne.d_auth = (ne.d_auth || rr.auth || (NSEC3Zone && (!ns3pr.d_flags || (presignedZone && ns3pr.d_flags))));
-- 
2.40.0