From 2ac8ae8963ec50862d9f72d56309f6ca1b7883dc Mon Sep 17 00:00:00 2001
From: bert hubert <bert.hubert@netherlabs.nl>
Date: Fri, 11 Dec 2015 13:18:38 +0100
Subject: [PATCH] implement DS anchor configuration, thank you
 https://twitter.com/PowerDNS_Bert/status/675241924803080192 - we default to
 the known root DS

---
 pdns/misc.hh              |  9 +++++++++
 pdns/rec-lua-conf.cc      | 31 +++++++++++++++++++++++++++++++
 pdns/rec-lua-conf.hh      |  1 +
 pdns/validate-recursor.cc |  3 +--
 pdns/validate.cc          | 12 ++++++------
 pdns/validate.hh          |  1 -
 6 files changed, 48 insertions(+), 9 deletions(-)

diff --git a/pdns/misc.hh b/pdns/misc.hh
index 71895e5ea..8985ce337 100644
--- a/pdns/misc.hh
+++ b/pdns/misc.hh
@@ -645,6 +645,15 @@ const char* addS(const C& c, typename std::enable_if<std::is_class<C>::value>::t
   return addS(c.size());
 }
 
+template<typename C>
+const typename C::value_type::second_type* rplookup(const C& c, const typename C::value_type::first_type& key)
+{
+  auto fnd = c.find(key);
+  if(fnd == c.end())
+    return 0;
+  return &fnd->second;
+}
+
 double DiffTime(const struct timespec& first, const struct timespec& second);
 double DiffTime(const struct timeval& first, const struct timeval& second);
 uid_t strToUID(const string &str);
diff --git a/pdns/rec-lua-conf.cc b/pdns/rec-lua-conf.cc
index 6b298c205..7831008ec 100644
--- a/pdns/rec-lua-conf.cc
+++ b/pdns/rec-lua-conf.cc
@@ -30,6 +30,9 @@ GlobalStateHolder<LuaConfigItems> g_luaconfs;
 
 LuaConfigItems::LuaConfigItems()
 {
+  auto ds=std::unique_ptr<DSRecordContent>(dynamic_cast<DSRecordContent*>(DSRecordContent::make("19036 8 2 49aac11d7b6f6446702e54a1607371607a1a41855200fd2ce1cdde32f24e8fb5")));
+  // this hurts physically
+  dsAnchors[DNSName(".")] = *ds;
 }
 
 /* DID YOU READ THE STORY ABOVE? */
@@ -187,12 +190,40 @@ void loadRecursorLuaConfig(const std::string& fname)
 			theL()<<Logger::Error<<"Error in addSortList: "<<e.what()<<endl;
 		      }
 		    });
+
+  Lua.writeFunction("addDS", [&lci](const std::string& who, const std::string& what) {
+      lci.dsAnchors[DNSName(who)]= *std::unique_ptr<DSRecordContent>(dynamic_cast<DSRecordContent*>(DSRecordContent::make(what)));
+    });
+
+  Lua.writeFunction("clearDS", [&lci](boost::optional<string> who) {
+      if(who)
+        lci.dsAnchors.erase(DNSName(*who));
+      else
+        lci.dsAnchors.clear();
+    });
+
   try {
     Lua.executeCode(ifs);
     g_luaconfs.setState(lci);
   }
+  catch(const LuaContext::ExecutionErrorException& e) {
+    theL()<<Logger::Error<<"Unable to load Lua script from '"+fname+"': ";
+    try {
+      std::rethrow_if_nested(e);
+    } catch(const std::exception& e) {
+      // e is the exception that was thrown from inside the lambda
+      theL() << e.what() << std::endl;      
+    }
+    catch(const PDNSException& e) {
+      // e is the exception that was thrown from inside the lambda
+      theL() << e.reason << std::endl;      
+    }
+    throw;
+
+  }
   catch(std::exception& err) {
     theL()<<Logger::Error<<"Unable to load Lua script from '"+fname+"': "<<err.what()<<endl;
+    throw;
   }
 
 }
diff --git a/pdns/rec-lua-conf.hh b/pdns/rec-lua-conf.hh
index 226f16c0a..5d7ee964c 100644
--- a/pdns/rec-lua-conf.hh
+++ b/pdns/rec-lua-conf.hh
@@ -9,6 +9,7 @@ public:
   LuaConfigItems();
   SortList sortlist;
   DNSFilterEngine dfe;
+  map<DNSName,DSRecordContent> dsAnchors;
 };
 
 extern GlobalStateHolder<LuaConfigItems> g_luaconfs;
diff --git a/pdns/validate-recursor.cc b/pdns/validate-recursor.cc
index df1b549d6..6d056be23 100644
--- a/pdns/validate-recursor.cc
+++ b/pdns/validate-recursor.cc
@@ -23,7 +23,6 @@ public:
 
 vState validateRecords(const vector<DNSRecord>& recs)
 {
-  g_rootDS =  "19036 8 2 49aac11d7b6f6446702e54a1607371607a1a41855200fd2ce1cdde32f24e8fb5";
   cspmap_t cspmap=harvestCSPFromRecs(recs);
   //  cerr<<"Got "<<cspmap.size()<<" RRSETs: ";
   int numsigs=0;
@@ -40,7 +39,7 @@ vState validateRecords(const vector<DNSRecord>& recs)
   if(numsigs) {
     for(const auto& csp : cspmap) {
       for(const auto& sig : csp.second.signatures) {
-	vState state = getKeysFor(sro, sig->d_signer, keys);
+	getKeysFor(sro, sig->d_signer, keys); // XXX check validity here
 	//	cerr<<"! state = "<<vStates[state]<<", now have "<<keys.size()<<" keys"<<endl;
       }
     }
diff --git a/pdns/validate.cc b/pdns/validate.cc
index 8a5bd229b..b2e213d92 100644
--- a/pdns/validate.cc
+++ b/pdns/validate.cc
@@ -1,6 +1,7 @@
 #include "validate.hh"
 #include "misc.hh"
 #include "dnssecinfra.hh"
+#include "rec-lua-conf.hh"
 #include "base32.hh"
 
 void dotEdge(DNSName zone, string type1, DNSName name1, string tag1, string type2, DNSName name2, string tag2, string color="");
@@ -157,19 +158,18 @@ vState getKeysFor(DNSRecordOracle& dro, const DNSName& zone, keyset_t &keyset)
 
   state = Indeterminate;
 
-  DNSName qname(".");
   typedef std::multimap<uint16_t, DSRecordContent> dsmap_t;
   dsmap_t dsmap;
   keyset_t validkeys;
 
-  state = Secure; // nice
+  DNSName qname(".");
+  state = Secure; // the root is secure
+  auto luaLocal = g_luaconfs.getLocal();
   while(zone.isPartOf(qname))
   {
-    if(qname.isRoot())
+    if(auto ds = rplookup(luaLocal->dsAnchors, qname))
     {
-      DSRecordContent rootanchor=dynamic_cast<DSRecordContent&> (*(DNSRecordContent::mastermake(QType::DS, 1, g_rootDS)));
-      dsmap.clear();
-      dsmap.insert(make_pair(rootanchor.d_tag, rootanchor));
+      dsmap.insert(make_pair(ds->d_tag, *ds));
     }
   
     vector<RRSIGRecordContent> sigs;
diff --git a/pdns/validate.hh b/pdns/validate.hh
index a29a97aa9..73011cfbd 100644
--- a/pdns/validate.hh
+++ b/pdns/validate.hh
@@ -33,4 +33,3 @@ void validateWithKeySet(const cspmap_t& rrsets, cspmap_t& validated, const std::
 cspmap_t harvestCSPFromRecs(const vector<DNSRecord>& recs);
 vState getKeysFor(DNSRecordOracle& dro, const DNSName& zone, std::set<DNSKEYRecordContent> &keyset);
 
-extern const char *g_rootDS;
-- 
2.40.0