From b5baefafdf6413af8e4a4b0848a6139700342d6f Mon Sep 17 00:00:00 2001 From: Peter van Dijk Date: Mon, 1 Oct 2012 14:35:23 +0000 Subject: [PATCH] Import ENT support, done by Kees Monshouwer. Additional testing by Ruben d'Arco. git-svn-id: svn://svn.powerdns.com/pdns/trunk/pdns@2721 d19b8d6e-7fed-0310-83ef-9ca221ded41b --- modules/gmysqlbackend/gmysqlbackend.cc | 6 +- modules/gpgsqlbackend/gpgsqlbackend.cc | 6 +- modules/gsqlite3backend/gsqlite3backend.cc | 6 +- modules/tinydnsbackend/data | 2 + modules/tinydnsbackend/data.cdb | Bin 1344856 -> 1344972 bytes pdns/backends/bind/bindbackend2.cc | 64 ++++++++++- pdns/backends/bind/bindbackend2.hh | 1 + pdns/backends/gsql/gsqlbackend.cc | 59 ++++++++++ pdns/backends/gsql/gsqlbackend.hh | 6 + pdns/botansigners.cc | 5 +- pdns/common_startup.cc | 1 + pdns/dnsbackend.hh | 10 ++ pdns/nsecrecords.cc | 7 +- pdns/packethandler.cc | 76 ++++++------ pdns/pdns.conf-dist | 5 + pdns/pdnssec.cc | 108 ++++++++++++++---- pdns/slavecommunicator.cc | 90 +++++++++++---- pdns/tcpreceiver.cc | 23 ++-- .../tinydns-data-check/expected_result | 4 +- .../expected_result.narrow | 2 +- regression-tests/cleandig | 7 ++ .../expected_result.narrow | 2 +- .../expected_result.narrow | 2 +- .../expected_result.narrow | 2 +- regression-tests/ent-any/command | 2 + regression-tests/ent-any/description | 1 + regression-tests/ent-any/expected_result | 7 ++ .../ent-any/expected_result.narrow | 7 ++ .../ent-any/expected_result.nsec3 | 7 ++ regression-tests/ent-any/skip.nodnssec | 0 regression-tests/ent-axfr/command | 2 + regression-tests/ent-axfr/description | 1 + regression-tests/ent-axfr/expected_result | 16 +++ .../ent-axfr/expected_result.nsec3 | 20 ++++ regression-tests/ent-axfr/skip.nodnssec | 0 regression-tests/ent-axfr/use.drill | 0 .../ent-rr-enclosed-in-ent/command | 2 + .../ent-rr-enclosed-in-ent/description | 1 + .../ent-rr-enclosed-in-ent/expected_result | 7 ++ .../expected_result.narrow | 7 ++ .../expected_result.nsec3 | 7 ++ .../ent-rr-enclosed-in-ent/skip.nodnssec | 0 regression-tests/ent-soa/command | 2 + regression-tests/ent-soa/description | 1 + regression-tests/ent-soa/expected_result | 7 ++ .../ent-soa/expected_result.narrow | 7 ++ .../ent-soa/expected_result.nsec3 | 7 ++ regression-tests/ent-soa/skip.nodnssec | 0 .../ent-wildcard-below-ent/command | 2 + .../ent-wildcard-below-ent/description | 1 + .../ent-wildcard-below-ent/expected_result | 7 ++ .../expected_result.narrow | 7 ++ .../expected_result.nsec3 | 7 ++ .../ent-wildcard-below-ent/skip.nodnssec | 0 regression-tests/ent/command | 2 + regression-tests/ent/description | 1 + regression-tests/ent/expected_result | 7 ++ regression-tests/ent/expected_result.narrow | 7 ++ regression-tests/ent/expected_result.nsec3 | 7 ++ regression-tests/ent/skip.nodnssec | 0 .../expected_result.narrow | 2 +- .../expected_result.narrow | 2 +- .../minimal-nxdomain/expected_result.narrow | 4 +- .../nsec-glue-at-delegation/expected_result | 2 +- .../expected_result.narrow | 2 +- .../expected_result.nsec3 | 6 +- .../nsec-glue/expected_result.narrow | 4 +- .../nsec-middle/expected_result.narrow | 4 +- .../nsec-wildcard/expected_result.narrow | 2 +- .../expected_result.narrow | 4 +- .../expected_result.narrow | 4 +- regression-tests/start-test-stop | 2 +- regression-tests/test.com | 2 + .../two-level-nxdomain/expected_result.narrow | 4 +- .../underscore-sorting/expected_result.narrow | 4 +- .../underscore-sorting/expected_result.nsec3 | 2 +- 76 files changed, 567 insertions(+), 136 deletions(-) create mode 100755 regression-tests/ent-any/command create mode 100644 regression-tests/ent-any/description create mode 100644 regression-tests/ent-any/expected_result create mode 100644 regression-tests/ent-any/expected_result.narrow create mode 100644 regression-tests/ent-any/expected_result.nsec3 create mode 100644 regression-tests/ent-any/skip.nodnssec create mode 100755 regression-tests/ent-axfr/command create mode 100644 regression-tests/ent-axfr/description create mode 100644 regression-tests/ent-axfr/expected_result create mode 100644 regression-tests/ent-axfr/expected_result.nsec3 create mode 100644 regression-tests/ent-axfr/skip.nodnssec create mode 100644 regression-tests/ent-axfr/use.drill create mode 100755 regression-tests/ent-rr-enclosed-in-ent/command create mode 100644 regression-tests/ent-rr-enclosed-in-ent/description create mode 100644 regression-tests/ent-rr-enclosed-in-ent/expected_result create mode 100644 regression-tests/ent-rr-enclosed-in-ent/expected_result.narrow create mode 100644 regression-tests/ent-rr-enclosed-in-ent/expected_result.nsec3 create mode 100644 regression-tests/ent-rr-enclosed-in-ent/skip.nodnssec create mode 100755 regression-tests/ent-soa/command create mode 100644 regression-tests/ent-soa/description create mode 100644 regression-tests/ent-soa/expected_result create mode 100644 regression-tests/ent-soa/expected_result.narrow create mode 100644 regression-tests/ent-soa/expected_result.nsec3 create mode 100644 regression-tests/ent-soa/skip.nodnssec create mode 100755 regression-tests/ent-wildcard-below-ent/command create mode 100644 regression-tests/ent-wildcard-below-ent/description create mode 100644 regression-tests/ent-wildcard-below-ent/expected_result create mode 100644 regression-tests/ent-wildcard-below-ent/expected_result.narrow create mode 100644 regression-tests/ent-wildcard-below-ent/expected_result.nsec3 create mode 100644 regression-tests/ent-wildcard-below-ent/skip.nodnssec create mode 100755 regression-tests/ent/command create mode 100644 regression-tests/ent/description create mode 100644 regression-tests/ent/expected_result create mode 100644 regression-tests/ent/expected_result.narrow create mode 100644 regression-tests/ent/expected_result.nsec3 create mode 100644 regression-tests/ent/skip.nodnssec diff --git a/modules/gmysqlbackend/gmysqlbackend.cc b/modules/gmysqlbackend/gmysqlbackend.cc index 947c7cddf..86ca233aa 100644 --- a/modules/gmysqlbackend/gmysqlbackend.cc +++ b/modules/gmysqlbackend/gmysqlbackend.cc @@ -92,7 +92,11 @@ public: declare(suffix,"get-order-after-query","DNSSEC Ordering Query, after", "select min(ordername) from records where ordername > '%s' and domain_id=%d and ordername is not null"); declare(suffix,"get-order-last-query","DNSSEC Ordering Query, last", "select ordername, name from records where ordername != '' and domain_id=%d and ordername is not null order by 1 desc limit 1"); declare(suffix,"set-order-and-auth-query", "DNSSEC set ordering query", "update records set ordername='%s',auth=%d where name='%s' and domain_id='%d'"); - declare(suffix,"nullify-ordername-and-auth-query", "DNSSEC nullify ordername query", "update records set ordername=NULL,auth=0 where name='%s' and type='%s' and domain_id='%d'"); + declare(suffix,"nullify-ordername-query", "DNSSEC nullify ordername query", "update records set ordername=NULL where domain_id='%d' and name='%s' and type is null"); + declare(suffix,"nullify-ordername-and-auth-query", "DNSSEC nullify ordername and auth query", "update records set ordername=NULL,auth=0 where name='%s' and type='%s' and domain_id='%d'"); + declare(suffix,"remove-empty-non-terminals-from-zone-query", "remove all empty non-terminals from zone", "delete from records where domain_id='%d' and type is null"); + declare(suffix,"insert-empty-non-terminal-query", "insert empty non-terminal in zone", "insert into records (domain_id,name,type,auth) values ('%d','%s',null,'1')"); + declare(suffix,"delete-empty-non-terminal-query", "delete empty non-terminal from zone", "delete from records where domain_id='%d' and name='%s' and type is null"); declare(suffix,"update-serial-query","", "update domains set notified_serial=%d where id=%d"); declare(suffix,"update-lastcheck-query","", "update domains set last_check=%d where id=%d"); diff --git a/modules/gpgsqlbackend/gpgsqlbackend.cc b/modules/gpgsqlbackend/gpgsqlbackend.cc index 8748edd12..ad6f760e9 100644 --- a/modules/gpgsqlbackend/gpgsqlbackend.cc +++ b/modules/gpgsqlbackend/gpgsqlbackend.cc @@ -90,7 +90,11 @@ public: declare(suffix,"get-order-last-query","DNSSEC Ordering Query, last", "select ordername, name from records where ordername != '' and domain_id=%d and ordername is not null order by 1 using ~>~ limit 1"); declare(suffix,"set-order-and-auth-query", "DNSSEC set ordering query", "update records set ordername=E'%s',auth=(%d = 1) where name=E'%s' and domain_id='%d'"); - declare(suffix,"nullify-ordername-and-auth-query", "DNSSEC nullify ordername query", "update records set ordername=NULL,auth=false where name=E'%s' and type=E'%s' and domain_id='%d'"); + declare(suffix,"nullify-ordername-query", "DNSSEC nullify ordername query", "update records set ordername=NULL where domain_id='%d' and name='%s' and type is null"); + declare(suffix,"nullify-ordername-and-auth-query", "DNSSEC nullify ordername and auth query", "update records set ordername=NULL,auth=false where name=E'%s' and type=E'%s' and domain_id='%d'"); + declare(suffix,"remove-empty-non-terminals-from-zone-query", "remove all empty non-terminals from zone", "delete from records where domain_id='%d' and type is null"); + declare(suffix,"insert-empty-non-terminal-query", "insert empty non-terminal in zone", "insert into records (domain_id,name,type,auth) values ('%d','%s',null,true)"); + declare(suffix,"delete-empty-non-terminal-query", "delete empty non-terminal from zone", "delete from records where domain_id='%d' and name='%s' and type is null"); declare(suffix,"update-serial-query","", "update domains set notified_serial=%d where id=%d"); declare(suffix,"update-lastcheck-query","", "update domains set last_check=%d where id=%d"); diff --git a/modules/gsqlite3backend/gsqlite3backend.cc b/modules/gsqlite3backend/gsqlite3backend.cc index b9a91a1ad..f7692582a 100644 --- a/modules/gsqlite3backend/gsqlite3backend.cc +++ b/modules/gsqlite3backend/gsqlite3backend.cc @@ -89,7 +89,11 @@ public: declare(suffix,"get-order-last-query","DNSSEC Ordering Query, last", "select ordername, name from records where ordername != '' and domain_id=%d and ordername is not null order by 1 desc limit 1"); declare(suffix,"set-order-and-auth-query", "DNSSEC set ordering query", "update records set ordername='%s',auth=%d where name='%s' and domain_id='%d'"); - declare(suffix,"nullify-ordername-and-auth-query", "DNSSEC nullify ordername query", "update records set ordername=NULL,auth=0 where name='%s' and type='%s' and domain_id='%d'"); + declare(suffix,"nullify-ordername-query", "DNSSEC nullify ordername query", "update records set ordername=NULL where domain_id='%d' and name='%s' and type is null"); + declare(suffix,"nullify-ordername-and-auth-query", "DNSSEC nullify ordername and auth query", "update records set ordername=NULL,auth=0 where name='%s' and type='%s' and domain_id='%d'"); + declare(suffix,"remove-empty-non-terminals-from-zone-query", "remove all empty non-terminals from zone", "delete from records where domain_id='%d' and type is null"); + declare(suffix,"insert-empty-non-terminal-query", "insert empty non-terminal in zone", "insert into records (domain_id,name,type,auth) values ('%d','%s',null,'1')"); + declare(suffix,"delete-empty-non-terminal-query", "delete empty non-terminal from zone", "delete from records where domain_id='%d' and name='%s' and type is null"); declare( suffix, "master-zone-query", "Data", "select master from domains where name='%s' and type='SLAVE'"); diff --git a/modules/tinydnsbackend/data b/modules/tinydnsbackend/data index 521a3099b..072b40846 100644 --- a/modules/tinydnsbackend/data +++ b/modules/tinydnsbackend/data @@ -20132,6 +20132,8 @@ Ztest.com:ns1.test.com.:ahu.example.com.:2005092501:28800:7200:604800:86400:3600 :_underscore.test.com:16:\030underscores\040are\040terrible:3600 +blah.test.com:192.168.6.1:3600 &blah.test.com::blah.test.com.:3600 ++b.c.test.com:5.6.7.8:3600 ++\052.a.b.c.test.com:8.7.6.5:3600 +counter.test.com:1.1.1.5:3600 :_double._tcp.dc.test.com:33:\000\000\000d\001\205\007server1\004test\003com\000:3600 :_double._tcp.dc.test.com:33:\000\001\000d\001\205\007server1\004test\003com\000:3600 diff --git a/modules/tinydnsbackend/data.cdb b/modules/tinydnsbackend/data.cdb index f1f624ff0b54576af757b849246bea6bdaf6af63..3cefcd81cb793364c24590cbf3392eb2080c8951 100644 GIT binary patch delta 4290 zcmZuz30M=y9-nX|0Ty<4HwyTof(KBIZM9T9Qbm1AtD&M6vClkPr2=A#w^bVr-U^7Q zD~lKul~ZH2YFUawE%nta^<0lW(@L#Mr76_2(nfu=GXdWF`uM*2e)%6W^Z)(kKeOD( z8t=#+Z_yXfUY^ z0#ph?S31OuowFcT$UUF#?vIOI}d?Hmcl9#X673nhE9lk z!B9__YVSa>P+qVBf^`Tf7m2%@N!;;>Ftk4-1?4;^w%LopN*GlPR!B!N_{dz4A&PWh zEI7g5iNVZ_T^Xzd)q}wd%~1qhI^wtXB?}n)lYI9e5;qNHa1WS9GFXY6F$`9~IF13; zs9~gU{Z%guzE*LV1hi2`fpQTFc<> z*JYD=+Kmj@EysBe!vYV(B7%-*h2_9v@FPyr3`1W63!kZ&k;r9P92N8pX$eACA2Xt?smPN#b>P>#)8k# zeCsIUw~t|E1;>a~g|#L-#R@m9ouYanBeQlKF;D zS$y`Um3fieD-*b^uRa{_k<&n1NCyDMh-K!eaI0-J|cP6G&0X*B8BSa z5OgizNS80+@DVyJq)^i;VjI?T7Tg^AT;kAfAqjSYEMT^B_^jQ<99F_uN|;l7Ioxde z103!d$6=CZs3y#f#|TsNNuq%MEJ61L!rXP0#3?7LNLIk{BZnUhYXb)kAzSw=VM;yV z@Ga0jA&j*x9(+#XZlJ+&%2$IGq5L$s>vcgI@=ahhSOIsi1}osyYVbRt?WVy;X17F; z1bc6iV0~SK8R_2C;4^j()L?}iLo`?k!w7hk7)10WmXKR|QAur)n z4L(|Dss!YfG`!L9LBkgfB^q)}jfNi@{%8cC zL7@?dMv&N|qTgRZ1tH-$G!)Ym$@y7yDCetGsbQ;gs_ga=n9X#Ek6NYl6~|}Md!rO( z;`2lFafM>0SbK!Nutsr3*f1Cddug-9vcYhazh9qCH0YjfU7ajG83|)(?-_Ztu*nZj z74s6|{7CQV+1PwVe0?dTD6h~B;*j+)LaF#goW2pJzT(|^t0(@f8k##RPKgVy!Q-s| znJqLJsk*wO3oi`052th*yA|2Bm$no?3&j32vW?=3e4*+-eARnmJ}t~Cr$eh6p*dSo zDlT2Xyi~G_1R5kaok+OsK~;f}Yi8E?J9Cl$rrEpSMxo16CZgA*jl^CrV@v(EY#p&{ zJpN}MjLs7?mNFRu{!g=MkRsK_ch3>;tz(V_`W@hDFk{z6M}xROpGjR5uqOxo7q+{4 zNB=@Uxvp?AmS*oLy_awHuubU5{y457flsk+NYxf^{lPcxu<_$nLf3RQG?;fhcs=YY+O=up?2=wyfOl1PnfQ$@hcvM7j*W)^IzlbNqwR= zw(SM@#v9}R7>m@Yet9*a7U7Tt8lFYOJ5yB6_bMR<5fA2LiymuNAZNg;`yu_2I;Y~& z=jRb2RQ$@4q(Kv~5h~=Rv1<8~f&cjM=NCqoplJ)wpU%AK1Nimt@XsQBTf>0=;!bK* zLAxM)hoSz%{nhR9weHWL63u@xv%#5`R|w$W zYw9rV0urh6cn}<;2K@HunV)8n8xqVv9F;pa3xK+w^QqG-{88XX9uvBuP zkt7Uzxk1tWqMR-*ulET35eN(vFduJaG4$7v0-?T)LTA*kr}M6*^R^z0ze+7!o^rL{g0k$rQ8lZq|eL+`%Wk!`fG`UwlhnG1lp0+$dPSRTKzgfWaE23=cq(`359x^aK*ODk-1bLKI%o0T z+la($`o!{dRr|3>+Ln@t$>hw0b)_5=QPI??Y%&t|+`asTBhiUJ3(PEzKti>o+SN2# zcvsP{Uk1@abD7*8Z#Yhc1+@zz`RDJ>_ebhqH4D3gQ8gc=ZqIt66b_Vgp|rFn;byNB z=&0b}TZQiulH$Qi&P*u|3w^4%U?voOg|DZnE8;x3PE4%g;)W?&#G>E1=0V<(>pdeb75?#Fk&eHIOQb8WeE zjdqbj*$5%W9tvfEwC^L*_7Sn$4^b!`?AB@uWjf_2E_s|nTb%I{g${yL*HEY&WKoyv_4|dJ_WI}s^YtkYb3C_lL z(3OxQ{z6G+Q%#9!G#{Duc)LcN1D6!nq5U|?autIoHm_wc7YyqeeD|h}489UI#2K6)WD~z7 zhr#T(<&y8L`3ySX^zU>{Xm(9lN~GZcgV}F6L=Z6_VeodCji0&#PcWGMs?)B?YDu8! zJekm8C4R#<1PRTzB!T7ziMKW}nEjR(f`p}&!R%MJlL74yh~L&lkZ?R@@D>>LUMz+} z>&N1W^fZf+(D5urK(8j!Fn~q5PAG#}jD#ta#2GZiZyLs8_FG1>7zyhb7PH+R&EmVZ zO=8i<@V$0AvFl@5Cjzkl@%RVQC$i)nSU{v{F^kEfeUrr;(db#s5$j48Bc*+Z==L=7 zy?rB#?_QO~Vk8_nEZ+C14_G{D4k+6Ajk6F{^mYdW%1gugb*o1c4x)ATWT(??B}s9$%T( zIG6-zBS?VeMIKLNiRAGe>&NjJA>GS7M#46QNZkyQz!A%1Zdl@Zyq>B=p0NKl9&Mmyfqtm{7{%ScPY1ZDHU+s;JCx_fa3|r3y#yLg5wRx2aYcs zKREty0;Db_wIEwMm`fejDCSBD$EjL{B1mGspc-=&MzJND4sx^RO8-XF(|x?ZFQ8CJ zUddKUnmL^wODO`StVH@oxI2?aiA)wVMB1{6_VaW5`hBTzJ3ZJ-AxbBA&?!UQ>jjs8 z_DMSZImNqD{dKyQ^-0@Fp=ru%doS)33-8j4`#lsuuerLj%;AsiX+^|;v`F-6qer;A z6;onDHPu&|*G8x3DH5csY0OhEHWdC1db9m(e1=ON7sa2`nH(QeKG>Vm-EZcLYd0~2 zhkEQF`e>)@YTlJMjOfWOd$~(C?~v*?F{^xi4&+fNS+1GWm?w?j&V1?by$~8)zW++Y zPDvp$DF#KHw47oorTg$g*L>xD*p`GyruDP)_dJpC@8|UgPI&+&$)8|(dM&<2fdm;H zR9$yRLTc4&k9XXVFy`pmiDE)1+g~hD)3i|-($Tpr#sdjYR}nd=Njz3khG`PSKc^-DQvv_Pzh9H&jSi{9Bb_SucA-=ZnGD5E3k9 zR70v)PyD++^QQPi-v262N8AbsLc;c$f+HLXtPQIE16E3?n6>QKB=Lt8Y=2()&87d; zLCrHs!!-apSCV=(f!^_un|U>AErWOP_=OoS)yRpOoU{W!yON(MncDJ^P}4$C~n? zZlv$@m8{xR*gEQ%Ui`F);l$Z1SnuiMF6p;)L8JGl=dTU!LHAjLs@ecL7B2hetA_^| zp|x#~KBm2(`#kurG`d5Z;DHMy3H~n@^O$-ioOVX_Jcv@=K!_5;|f)9m$gyF4*1biR7f+yS^Q&L~>|KGh2#~e5p$R%L%{kR7k#%A9FKR zh2&$4=3oEIy~n=l(9&5OAbxMxtA%1q8^y)RH}|OKpH%dOXa+uMF6>!RxzFi`mzf?~ z$!4}ZXTMud{MyBt>eU`dj>`*8jrI_u4|09QY&9JmCdVavG{|m9UKei6n4my%N&UHR zlf97q%bb$rHPHO4Q>H|Tida4(T<%IaqoR5h`R=&6T@4{+nYTvdLBEEZCCMEMvHu}R zzA}~%4wA2>iwA&Rm)e$#LigQ zJEtp5zGQSi+ywo!c$QIbvw(re=XEE}3zrS2O4DcAc`A%*p z_|N4|C=grLvC$Ldu!nW|Mc^7Y`}V4QXz)h)qKsR;E~jczF4Fb7&!)`X?InOyT*30m zA|p{;kQ|#f2_?eSM@~&Tr38S6eAc{P>n5(K;QAT&m;Qb-fI{-pY;VIyQ09|6|9cVw z9bEdgc>T1VXHm|HZyI_Q=(cm#V{-D8TIU<~f)sj~OZQW}F77|U1uFVJ u3W;%W9pe?7B*iGc*3-MOm_nUtBa%0Wokd)K>2?%9+f5N8jg02^%=$m2#D#JI diff --git a/pdns/backends/bind/bindbackend2.cc b/pdns/backends/bind/bindbackend2.cc index b60b13c4f..2b0ee4ae5 100644 --- a/pdns/backends/bind/bindbackend2.cc +++ b/pdns/backends/bind/bindbackend2.cc @@ -437,6 +437,9 @@ void Bind2Backend::insert(shared_ptr stage, int id, const string &qnameu, bdr.qtype=qtype.getCode(); bdr.content=content; bdr.nsec3hash = hashed; + + if (!qtype.getCode()) // Set auth on empty non-terminals + bdr.auth=true; if(bdr.qtype == QType::MX || bdr.qtype == QType::SRV) { prio=atoi(bdr.content.c_str()); @@ -602,6 +605,56 @@ void Bind2Backend::fixupAuth(shared_ptr records) } } +void Bind2Backend::doEmptyNonTerminals(shared_ptr stage, int id, bool nsec3zone, NSEC3PARAMRecordContent ns3pr) +{ + BB2DomainInfo bb2 = stage->id_zone_map[id]; + + bool doent=true; + set qnames, nonterm; + string qname, shorter, hashed; + + uint32_t maxent = ::arg().asNum("max-ent-entries"); + + BOOST_FOREACH(const Bind2DNSRecord& bdr, *bb2.d_records) + if (bdr.auth) + qnames.insert(labelReverse(bdr.qname)); + + BOOST_FOREACH(const string& qname, qnames) + { + shorter=qname; + + while(chopOff(shorter)) + { + if(!qnames.count(shorter) && !nonterm.count(shorter)) + { + if(!(maxent)) + { + L<id_zone_map[bbd->d_id].d_records->begin(), staging->id_zone_map[bbd->d_id].d_records->end()); - shared_ptr records=staging->id_zone_map[bbd->d_id].d_records; - fixupAuth(records); + fixupAuth(staging->id_zone_map[bbd->d_id].d_records); + doEmptyNonTerminals(staging, bbd->d_id, nsec3zone, ns3pr); staging->id_zone_map[bbd->d_id].setCtime(); staging->id_zone_map[bbd->d_id].d_loaded=true; @@ -827,6 +880,7 @@ void Bind2Backend::queueReload(BB2DomainInfo *bbd) // cerr<<"Sorting done"<id_zone_map[bbd->d_id].d_records); + doEmptyNonTerminals(staging, bbd->d_id, nsec3zone, ns3pr); staging->id_zone_map[bbd->d_id].setCtime(); s_state->id_zone_map[bbd->d_id]=staging->id_zone_map[bbd->d_id]; // move over @@ -856,9 +910,9 @@ bool Bind2Backend::findBeforeAndAfterUnhashed(BB2DomainInfo& bbd, const std::str //cout<<"starting lower bound for: '"<lower_bound(domain); + recordstorage_t::const_iterator iter = bbd.d_records->upper_bound(domain); - while(iter == bbd.d_records->end() || (iter->qname) > domain || (!(iter->auth) && !(iter->qtype == QType::NS))) + while(iter == bbd.d_records->end() || (iter->qname) > domain || (!(iter->auth) && (!(iter->qtype == QType::NS))) || (!(iter->qtype))) iter--; before=iter->qname; @@ -874,7 +928,7 @@ bool Bind2Backend::findBeforeAndAfterUnhashed(BB2DomainInfo& bbd, const std::str //cerr<<"\tFound: '"<<(iter->qname)<<"' (nsec3hash='"<<(iter->nsec3hash)<<"')"<auth) && !(iter->qtype == QType::NS)) + while((!(iter->auth) && (!(iter->qtype == QType::NS))) || (!(iter->qtype))) { iter++; if(iter == bbd.d_records->end()) diff --git a/pdns/backends/bind/bindbackend2.hh b/pdns/backends/bind/bindbackend2.hh index 617fa011b..fea1af67c 100644 --- a/pdns/backends/bind/bindbackend2.hh +++ b/pdns/backends/bind/bindbackend2.hh @@ -246,6 +246,7 @@ private: static string DLListRejectsHandler(const vector&parts, Utility::pid_t ppid); static string DLReloadNowHandler(const vector&parts, Utility::pid_t ppid); static void fixupAuth(shared_ptr records); + static void doEmptyNonTerminals(shared_ptr stage, int id, bool nsec3zone, NSEC3PARAMRecordContent ns3pr); void loadConfig(string *status=0); static void nukeZoneRecords(BB2DomainInfo *bbd); }; diff --git a/pdns/backends/gsql/gsqlbackend.cc b/pdns/backends/gsql/gsqlbackend.cc index 12396e8ab..18e342e9b 100644 --- a/pdns/backends/gsql/gsqlbackend.cc +++ b/pdns/backends/gsql/gsqlbackend.cc @@ -287,7 +287,11 @@ GSQLBackend::GSQLBackend(const string &mode, const string &suffix) d_afterOrderQuery = getArg("get-order-after-query"); d_lastOrderQuery = getArg("get-order-last-query"); d_setOrderAuthQuery = getArg("set-order-and-auth-query"); + d_nullifyOrderNameQuery = getArg("nullify-ordername-query"); d_nullifyOrderNameAndAuthQuery = getArg("nullify-ordername-and-auth-query"); + d_removeEmptyNonTerminalsFromZoneQuery = getArg("remove-empty-non-terminals-from-zone-query"); + d_insertEmptyNonTerminalQuery = getArg("insert-empty-non-terminal-query"); + d_deleteEmptyNonTerminalQuery = getArg("delete-empty-non-terminal-query"); d_AddDomainKeyQuery = getArg("add-domain-key-query"); d_ListDomainKeysQuery = getArg("list-domain-keys-query"); @@ -326,6 +330,17 @@ bool GSQLBackend::updateDNSSECOrderAndAuthAbsolute(uint32_t domain_id, const std return true; } +bool GSQLBackend::nullifyDNSSECOrderName(uint32_t domain_id, const std::string& qname) +{ + if(!d_dnssecQueries) + return false; + char output[1024]; + + snprintf(output, sizeof(output)-1, d_nullifyOrderNameQuery.c_str(), domain_id, sqlEscape(qname).c_str()); + d_db->doCommand(output); + return true; +} + bool GSQLBackend::nullifyDNSSECOrderNameAndAuth(uint32_t domain_id, const std::string& qname, const std::string& type) { if(!d_dnssecQueries) @@ -337,6 +352,50 @@ bool GSQLBackend::nullifyDNSSECOrderNameAndAuth(uint32_t domain_id, const std::s return true; } +bool GSQLBackend::updateEmptyNonTerminals(uint32_t domain_id, const std::string& zonename, set& insert, set& erase, bool remove) +{ + if(!d_dnssecQueries) + return false; + char output[1024]; + + if(remove) { + snprintf(output,sizeof(output)-1,d_removeEmptyNonTerminalsFromZoneQuery.c_str(), domain_id); + try { + d_db->doCommand(output); + } + catch (SSqlException &e) { + throw AhuException("GSQLBackend unable to delete empty non-terminal records from domain_id "+itoa(domain_id)+": "+e.txtReason()); + return false; + } + } + else + { + BOOST_FOREACH(const string qname, erase) { + snprintf(output,sizeof(output)-1,d_deleteEmptyNonTerminalQuery.c_str(), domain_id, sqlEscape(qname).c_str()); + try { + d_db->doCommand(output); + } + catch (SSqlException &e) { + throw AhuException("GSQLBackend unable to delete empty non-terminal rr "+qname+" from domain_id "+itoa(domain_id)+": "+e.txtReason()); + return false; + } + } + } + + BOOST_FOREACH(const string qname, insert) { + snprintf(output,sizeof(output)-1,d_insertEmptyNonTerminalQuery.c_str(), domain_id, sqlEscape(qname).c_str()); + try { + d_db->doCommand(output); + } + catch (SSqlException &e) { + throw AhuException("GSQLBackend unable to insert empty non-terminal rr "+qname+" in domain_id "+itoa(domain_id)+": "+e.txtReason()); + return false; + } + } + + return true; +} + bool GSQLBackend::getBeforeAndAfterNamesAbsolute(uint32_t id, const std::string& qname, std::string& unhashed, std::string& before, std::string& after) { if(!d_dnssecQueries) diff --git a/pdns/backends/gsql/gsqlbackend.hh b/pdns/backends/gsql/gsqlbackend.hh index 7186ec208..08db1dce7 100644 --- a/pdns/backends/gsql/gsqlbackend.hh +++ b/pdns/backends/gsql/gsqlbackend.hh @@ -43,7 +43,9 @@ public: virtual bool getBeforeAndAfterNamesAbsolute(uint32_t id, const std::string& qname, std::string& unhashed, std::string& before, std::string& after); bool updateDNSSECOrderAndAuth(uint32_t domain_id, const std::string& zonename, const std::string& qname, bool auth); virtual bool updateDNSSECOrderAndAuthAbsolute(uint32_t domain_id, const std::string& qname, const std::string& ordername, bool auth); + virtual bool nullifyDNSSECOrderName(uint32_t domain_id, const std::string& qname); virtual bool nullifyDNSSECOrderNameAndAuth(uint32_t domain_id, const std::string& qname, const std::string& type); + virtual bool updateEmptyNonTerminals(uint32_t domain_id, const std::string& zonename, set& insert ,set& erase, bool remove); virtual bool calculateSOASerial(const string& domain, const SOAData& sd, time_t& serial); @@ -92,7 +94,11 @@ private: string d_afterOrderQuery; string d_lastOrderQuery; string d_setOrderAuthQuery; + string d_nullifyOrderNameQuery; string d_nullifyOrderNameAndAuthQuery; + string d_removeEmptyNonTerminalsFromZoneQuery; + string d_insertEmptyNonTerminalQuery; + string d_deleteEmptyNonTerminalQuery; string d_AddDomainKeyQuery; string d_ListDomainKeysQuery; diff --git a/pdns/botansigners.cc b/pdns/botansigners.cc index 78b756dc1..2974a6b73 100644 --- a/pdns/botansigners.cc +++ b/pdns/botansigners.cc @@ -6,7 +6,6 @@ #include #include #include -#include #include "dnssecinfra.hh" using namespace Botan; @@ -93,15 +92,13 @@ DNSCryptoKeyEngine::storvector_t BotanRSADNSCryptoKeyEngine::convertToISCVector( #if BOTAN_VERSION_CODE < BOTAN_VERSION_CODE_FOR(1,9,0) BigInt d1 = d_key->get_d() % (d_key->get_p() - 1); BigInt d2 = d_key->get_d() % (d_key->get_q() - 1); - BigInt c = inverse_mod(d_key->get_q(), d_key->get_p()); #else BigInt d1 = d_key->get_d1(); BigInt d2 = d_key->get_d2(); - BigInt c = d_key->get_c(); #endif storvect.push_back(make_pair("Exponent1", asRaw(d1))); storvect.push_back(make_pair("Exponent2", asRaw(d2))); - storvect.push_back(make_pair("Coefficient", asRaw(c))); + storvect.push_back(make_pair("Coefficient", asRaw(d_key->get_q()))); return storvect; } diff --git a/pdns/common_startup.cc b/pdns/common_startup.cc index 3018a9a2d..baedec590 100644 --- a/pdns/common_startup.cc +++ b/pdns/common_startup.cc @@ -132,6 +132,7 @@ void declareArguments() ::arg().set("setgid","If set, change group id to this gid for more security")=""; ::arg().set("max-cache-entries", "Maximum number of cache entries")="1000000"; + ::arg().set("max-ent-entries", "Maximum number of empty non-terminals in a zone")="100000"; ::arg().set("entropy-source", "If set, read entropy from this file")="/dev/urandom"; ::arg().set("lua-prequery-script", "Lua script with prequery handler")=""; diff --git a/pdns/dnsbackend.hh b/pdns/dnsbackend.hh index 6a4096560..4b8b9c464 100644 --- a/pdns/dnsbackend.hh +++ b/pdns/dnsbackend.hh @@ -136,6 +136,16 @@ public: return false; } + virtual bool updateEmptyNonTerminals(uint32_t domain_id, const std::string& zonename, set& insert, set& erase, bool remove) + { + return false; + } + + virtual bool nullifyDNSSECOrderName(uint32_t domain_id, const std::string& qname) + { + return false; + } + virtual bool nullifyDNSSECOrderNameAndAuth(uint32_t domain_id, const std::string& qname, const std::string& type) { return false; diff --git a/pdns/nsecrecords.cc b/pdns/nsecrecords.cc index aa16b2b4e..15fccdc4f 100644 --- a/pdns/nsecrecords.cc +++ b/pdns/nsecrecords.cc @@ -172,8 +172,11 @@ void NSEC3RecordContent::toPacket(DNSPacketWriter& pw) res[0] = static_cast(window); res[1] = static_cast(len); - tmp.assign(res, res+len+2); - pw.xfrBlob(tmp); + + if (len) { + tmp.assign(res, res+len+2); + pw.xfrBlob(tmp); + } } NSEC3RecordContent::DNSRecordContent* NSEC3RecordContent::make(const DNSRecord &dr, PacketReader& pr) diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc index 87434d01e..ce6f934b6 100644 --- a/pdns/packethandler.cc +++ b/pdns/packethandler.cc @@ -424,16 +424,14 @@ void PacketHandler::emitNSEC(const std::string& begin, const std::string& end, c DNSResourceRecord rr; B.lookup(QType(QType::ANY), begin); while(B.get(rr)) { - if(rr.domain_id == sd.domain_id && (rr.qtype.getCode() == QType::NS || rr.auth)) + if(rr.domain_id == sd.domain_id && (rr.qtype.getCode() == QType::NS || rr.auth)) nrc.d_set.insert(rr.qtype.getCode()); } nrc.d_next=end; - rr.ttl = sd.default_ttl; - rr.qname=begin; - // we can leave ttl untouched, either it is the default, or it is what we retrieved above + rr.ttl = sd.default_ttl; rr.qtype=QType::NSEC; rr.content=nrc.getZoneRepresentation(); rr.d_place = (mode == 5 ) ? DNSResourceRecord::ANSWER: DNSResourceRecord::AUTHORITY; @@ -446,33 +444,37 @@ void emitNSEC3(DNSBackend& B, const NSEC3PARAMRecordContent& ns3prc, const SOADa { // cerr<<"We should emit NSEC3 '"<addRecord(rr); } @@ -484,7 +486,7 @@ void PacketHandler::emitNSEC3(const NSEC3PARAMRecordContent& ns3prc, const SOADa /* mode 0 = No Data Responses, QTYPE is not DS - mode 1 = No Data Responses, QTYPE is DS (can we do this already?) + mode 1 = No Data Responses, QTYPE is DS mode 2 = Wildcard No Data Responses mode 3 = Wildcard Answer Responses mode 4 = Name Error Responses @@ -542,8 +544,10 @@ bool getNSEC3Hashes(bool narrow, DNSBackend* db, int id, const std::string& hash if(narrow) { // nsec3-narrow ret=true; before=hashed; - if(decrement) + if(decrement) { decrementHash(before); + unhashed.clear(); + } after=hashed; incrementHash(after); } @@ -650,36 +654,24 @@ void PacketHandler::addNSEC(DNSPacket *p, DNSPacket *r, const string& target, co string before,after; //cerr<<"Calling getBeforeandAfter!"<getBeforeAndAfterNames(sd.domain_id, auth, p->qdomain, before, after); + emitNSEC(before, after, target, sd, r, mode); + sd.db->getBeforeAndAfterNames(sd.domain_id, auth, target, before, after); } else { sd.db->getBeforeAndAfterNames(sd.domain_id, auth, target, before, after); } - // cerr<<"Done calling, before='"<getBeforeAndAfterNames(sd.domain_id, auth, target, before, after); - emitNSEC(target, after, auth, sd, r, mode); - } - else { + if (mode == 4) { // this one does wildcard denial, if applicable sd.db->getBeforeAndAfterNames(sd.domain_id, auth, auth, before, after); emitNSEC(auth, after, auth, sd, r, mode); - } } - if(mode == 3) - emitNSEC(before, after, target, sd, r, mode); - return; } @@ -1289,14 +1281,20 @@ DNSPacket *PacketHandler::questionOrRecurse(DNSPacket *p, bool *shouldRecurse) } } else if(weDone) { + bool haveRecords = false; BOOST_FOREACH(rr, rrset) { - if((p->qtype.getCode() == QType::ANY || rr.qtype == p->qtype) && rr.auth) + if((p->qtype.getCode() == QType::ANY || rr.qtype == p->qtype) && rr.qtype.getCode() && rr.auth) { r->addRecord(rr); + haveRecords = true; + } } - if(p->qtype.getCode() == QType::ANY) { - completeANYRecords(p, r, sd, target); + if (haveRecords) { + if(p->qtype.getCode() == QType::ANY) + completeANYRecords(p, r, sd, target); } + else + makeNOError(p, r, rr.qname, sd, 0); goto sendit; } diff --git a/pdns/pdns.conf-dist b/pdns/pdns.conf-dist index aaf4879e9..873f6f7f3 100644 --- a/pdns/pdns.conf-dist +++ b/pdns/pdns.conf-dist @@ -169,6 +169,11 @@ # # max-cache-entries=1000000 +################################# +# max-ent-entries Maximum number of empty non-terminals in a zone +# +# max-ent-entries=100000 + ################################# # max-queue-length Maximum queuelength before considering situation lost # diff --git a/pdns/pdnssec.cc b/pdns/pdnssec.cc index 2d62a2c5b..db09cef15 100644 --- a/pdns/pdnssec.cc +++ b/pdns/pdnssec.cc @@ -66,6 +66,7 @@ void loadMainConfig(const std::string& configdir) cleanSlashes(configname); ::arg().laxFile(configname.c_str()); + ::arg().set("max-ent-entries", "Maximum number of empty non-terminals in a zone")="100000"; ::arg().set("module-dir","Default directory for modules")=LIBDIR; BackendMakers().launch(::arg()["launch"]); // vrooooom! ::arg().laxFile(configname.c_str()); @@ -108,22 +109,28 @@ void rectifyZone(DNSSECKeeper& dk, const std::string& zone) return; } sd.db->list(zone, sd.domain_id); - DNSResourceRecord rr; - set qnames, nsset, dsnames; + DNSResourceRecord rr; + set qnames, nsset, dsnames, nonterm, insnonterm, delnonterm; + bool doent=true; while(sd.db->get(rr)) { - qnames.insert(rr.qname); - if(rr.qtype.getCode() == QType::NS && !pdns_iequals(rr.qname, zone)) - nsset.insert(rr.qname); - if(rr.qtype.getCode() == QType::DS) - dsnames.insert(rr.qname); + if (rr.qtype.getCode()) + { + qnames.insert(rr.qname); + if(rr.qtype.getCode() == QType::NS && !pdns_iequals(rr.qname, zone)) + nsset.insert(rr.qname); + if(rr.qtype.getCode() == QType::DS) + dsnames.insert(rr.qname); + } + else + if(doent) + delnonterm.insert(rr.qname); } NSEC3PARAMRecordContent ns3pr; bool narrow; bool haveNSEC3=dk.getNSEC3PARAM(zone, &ns3pr, &narrow); - string hashed; if(!haveNSEC3) cerr<<"Adding NSEC ordering information"<startTransaction("", -1); + + bool realrr=true; + string hashed; + + uint32_t maxent = ::arg().asNum("max-ent-entries"); + + dononterm:; BOOST_FOREACH(const string& qname, qnames) { - string shorter(qname); bool auth=true; + string shorter(qname); - do { - if(nsset.count(shorter)) { - auth=false; - break; - } - }while(chopOff(shorter)); + if(realrr) { + do { + if(nsset.count(shorter)) { + auth=false; + break; + } + } while(chopOff(shorter)); - if(dsnames.count(qname)) - auth=true; + if(dsnames.count(qname)) + auth=true; + } if(haveNSEC3) { @@ -156,7 +172,7 @@ void rectifyZone(DNSSECKeeper& dk, const std::string& zone) cerr<<"'"< '"<< hashed <<"'"<updateDNSSECOrderAndAuthAbsolute(sd.domain_id, qname, hashed, auth); - if(!auth || dsnames.count(qname)) + if((!auth || dsnames.count(qname)) && realrr) { sd.db->nullifyDNSSECOrderNameAndAuth(sd.domain_id, qname, "NS"); sd.db->nullifyDNSSECOrderNameAndAuth(sd.domain_id, qname, "A"); @@ -165,14 +181,62 @@ void rectifyZone(DNSSECKeeper& dk, const std::string& zone) } else // NSEC { - sd.db->updateDNSSECOrderAndAuth(sd.domain_id, zone, qname, auth); - if(!auth || dsnames.count(qname)) + if(realrr) { - sd.db->nullifyDNSSECOrderNameAndAuth(sd.domain_id, qname, "A"); - sd.db->nullifyDNSSECOrderNameAndAuth(sd.domain_id, qname, "AAAA"); + sd.db->updateDNSSECOrderAndAuth(sd.domain_id, zone, qname, auth); + if(!auth || dsnames.count(qname)) + { + sd.db->nullifyDNSSECOrderNameAndAuth(sd.domain_id, qname, "A"); + sd.db->nullifyDNSSECOrderNameAndAuth(sd.domain_id, qname, "AAAA"); + } + } + else + { + sd.db->nullifyDNSSECOrderName(sd.domain_id, qname); + } + } + + if(auth && realrr && doent) + { + shorter=qname; + while(!pdns_iequals(shorter, zone) && chopOff(shorter)) + { + if(!qnames.count(shorter) && !nonterm.count(shorter)) + { + if(!(maxent)) + { + cerr<<"Zone '"<updateEmptyNonTerminals(sd.domain_id, zone, insnonterm, delnonterm, !doent); + } + if(doent) + { + realrr=false; + qnames=nonterm; + goto dononterm; + } + } + if(doTransaction) sd.db->commitTransaction(); } diff --git a/pdns/slavecommunicator.cc b/pdns/slavecommunicator.cc index 18e1ebb12..eb4324fc5 100644 --- a/pdns/slavecommunicator.cc +++ b/pdns/slavecommunicator.cc @@ -113,7 +113,7 @@ void CommunicatorClass::suck(const string &domain,const string &remote) domain_id=di.id; Resolver::res_t recs; - set nsset, qnames, dsnames; + set nsset, qnames, dsnames, nonterm, delnonterm; ComboAddress raddr(remote, 53); @@ -201,19 +201,12 @@ void CommunicatorClass::suck(const string &domain,const string &remote) dnssecZone = gotPresigned = true; continue; } - + if(!endsOn(i->qname, domain)) { L<qname<<"'|"<qtype.getName()<<" during AXFR of zone '"<qtype.getCode() == QType::NS && !pdns_iequals(i->qname, domain)) - nsset.insert(i->qname); - if(i->qtype.getCode() != QType::RRSIG) // this excludes us hashing RRSIGs for NSEC(3) - qnames.insert(i->qname); - if(i->qtype.getCode() == QType::DS) - dsnames.insert(i->qname); - i->domain_id=domain_id; #if 0 if(i->qtype.getCode()>=60000) @@ -233,6 +226,12 @@ void CommunicatorClass::suck(const string &domain,const string &remote) } else { di.backend->feedRecord(*i); + if(i->qtype.getCode() == QType::NS && !pdns_iequals(i->qname, domain)) + nsset.insert(i->qname); + if(i->qtype.getCode() != QType::RRSIG) // this excludes us hashing RRSIGs for NSEC(3) + qnames.insert(i->qname); + if(i->qtype.getCode() == QType::DS) + dsnames.insert(i->qname); } } } @@ -243,20 +242,29 @@ void CommunicatorClass::suck(const string &domain,const string &remote) haveNSEC3 = false; } + bool doent=true; + bool realrr=true; string hashed; + + uint32_t maxent = ::arg().asNum("max-ent-entries"); + + dononterm:; BOOST_FOREACH(const string& qname, qnames) { - string shorter(qname); bool auth=true; - do { - if(nsset.count(shorter)) { - auth=false; - break; - } - }while(chopOff(shorter)); - - if(dsnames.count(qname)) - auth=true; + string shorter(qname); + + if(realrr) { + do { + if(nsset.count(shorter)) { + auth=false; + break; + } + }while(chopOff(shorter)); + + if(dsnames.count(qname)) + auth=true; + } if(dnssecZone && haveNSEC3) { @@ -264,7 +272,7 @@ void CommunicatorClass::suck(const string &domain,const string &remote) hashed=toLower(toBase32Hex(hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, qname))); } di.backend->updateDNSSECOrderAndAuthAbsolute(domain_id, qname, hashed, auth); // this should always be done - if(!auth || dsnames.count(qname)) + if((!auth || dsnames.count(qname)) && realrr) { di.backend->nullifyDNSSECOrderNameAndAuth(domain_id, qname, "NS"); di.backend->nullifyDNSSECOrderNameAndAuth(domain_id, qname, "A"); @@ -273,14 +281,48 @@ void CommunicatorClass::suck(const string &domain,const string &remote) } else // NSEC { - di.backend->updateDNSSECOrderAndAuth(domain_id, domain, qname, auth); - if(!auth || dsnames.count(qname)) + if(realrr) { - di.backend->nullifyDNSSECOrderNameAndAuth(domain_id, qname, "A"); - di.backend->nullifyDNSSECOrderNameAndAuth(domain_id, qname, "AAAA"); + di.backend->updateDNSSECOrderAndAuth(domain_id, domain, qname, auth); + if(!auth || dsnames.count(qname)) + { + di.backend->nullifyDNSSECOrderNameAndAuth(domain_id, qname, "A"); + di.backend->nullifyDNSSECOrderNameAndAuth(domain_id, qname, "AAAA"); + } + } + } + + if(auth && realrr && doent) + { + shorter=qname; + while(!pdns_iequals(shorter, domain) && chopOff(shorter)) + { + if(!qnames.count(shorter) && !nonterm.count(shorter)) + { + if(!(maxent)) + { + L<updateEmptyNonTerminals(domain_id, domain, nonterm, delnonterm, false)) + { + realrr=false; + qnames=nonterm; + goto dononterm; + } + } + di.backend->commitTransaction(); di.backend->setFresh(domain_id); PC.purge(domain+"$"); diff --git a/pdns/tcpreceiver.cc b/pdns/tcpreceiver.cc index b3d20723f..b88856cc0 100644 --- a/pdns/tcpreceiver.cc +++ b/pdns/tcpreceiver.cc @@ -639,11 +639,19 @@ int TCPNameserver::doAXFR(const string &target, shared_ptr q, int out continue; records++; if(securedZone && (rr.auth || (!NSEC3Zone && rr.qtype.getCode() == QType::NS) || rr.qtype.getCode() == QType::DS)) { // this is probably NSEC specific, NSEC3 is different - keyname = NSEC3Zone ? hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, rr.qname) : labelReverse(rr.qname); - NSECXEntry& ne = nsecxrepo[keyname]; - ne.d_set.insert(rr.qtype.getCode()); - ne.d_ttl = sd.default_ttl; + if (NSEC3Zone || rr.qtype.getCode()) { + keyname = NSEC3Zone ? hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, rr.qname) : labelReverse(rr.qname); + NSECXEntry& ne = nsecxrepo[keyname]; + ne.d_ttl = sd.default_ttl; + if (rr.qtype.getCode()) { + ne.d_set.insert(rr.qtype.getCode()); + } + } } + + if (!rr.qtype.getCode()) + continue; // skip empty non-terminals + if(rr.qtype.getCode() == QType::SOA) continue; // skip SOA - would indicate end of AXFR @@ -673,7 +681,8 @@ int TCPNameserver::doAXFR(const string &target, shared_ptr q, int out for(nsecxrepo_t::const_iterator iter = nsecxrepo.begin(); iter != nsecxrepo.end(); ++iter) { NSEC3RecordContent n3rc; n3rc.d_set = iter->second.d_set; - n3rc.d_set.insert(QType::RRSIG); + if (n3rc.d_set.size()) + n3rc.d_set.insert(QType::RRSIG); n3rc.d_salt=ns3pr.d_salt; n3rc.d_flags = ns3pr.d_flags; n3rc.d_iterations = ns3pr.d_iterations; @@ -686,7 +695,7 @@ int TCPNameserver::doAXFR(const string &target, shared_ptr q, int out rr.qname = dotConcat(toLower(toBase32Hex(iter->first)), sd.qname); - rr.ttl = iter->second.d_ttl; + rr.ttl = sd.default_ttl; rr.content = n3rc.getZoneRepresentation(); rr.qtype = QType::NSEC3; rr.d_place = DNSResourceRecord::ANSWER; @@ -720,7 +729,7 @@ int TCPNameserver::doAXFR(const string &target, shared_ptr q, int out rr.qname = labelReverse(iter->first); - rr.ttl = iter->second.d_ttl; + rr.ttl = sd.default_ttl; rr.content = nrc.getZoneRepresentation(); rr.qtype = QType::NSEC; rr.d_place = DNSResourceRecord::ANSWER; diff --git a/regression-tests.nobackend/tinydns-data-check/expected_result b/regression-tests.nobackend/tinydns-data-check/expected_result index 87ab6efab..8713faa7a 100644 --- a/regression-tests.nobackend/tinydns-data-check/expected_result +++ b/regression-tests.nobackend/tinydns-data-check/expected_result @@ -1,7 +1,7 @@ b6d1c64a890e3f3ce40970724a12eb0b ../regression-tests/example.com -bb578fbd58265c977dc83a52bde80928 ../regression-tests/test.com +451fb64d4a6b33b63124556d789ac3d0 ../regression-tests/test.com 7d726bc367bf5e6ee5f1689994c6b6d4 ../regression-tests/wtest.com a0670eef8fba3e16908057af8de2c2f2 ../regression-tests/dnssec-parent.com 42dd3a56c7d268e75836371878819ec4 ../regression-tests/delegated.dnssec-parent.com 24514dc104b22206daeb973ff9303545 ../regression-tests/minimal.com -61490253e7b3a9ac1e0be2214c16cfa0 ../modules/tinydnsbackend/data.cdb +f1e5a8ab3243ad2c47b29d06f22bdeaf ../modules/tinydnsbackend/data.cdb diff --git a/regression-tests/any-wildcard-dnssec/expected_result.narrow b/regression-tests/any-wildcard-dnssec/expected_result.narrow index ac4240976..198d560cc 100644 --- a/regression-tests/any-wildcard-dnssec/expected_result.narrow +++ b/regression-tests/any-wildcard-dnssec/expected_result.narrow @@ -1,6 +1,6 @@ 0 www.something.wtest.com. IN A 3600 4.3.2.1 0 www.something.wtest.com. IN RRSIG 3600 A 8 3 3600 [expiry] [inception] [keytag] wtest.com. ... -1 7q60llva2bt9ucubvn553q9s2pf8ho38.wtest.com. IN NSEC3 86400 1 1 1 abcd 7Q60LLVA2BT9UCUBVN553Q9S2PF8HO3A RRSIG +1 7q60llva2bt9ucubvn553q9s2pf8ho38.wtest.com. IN NSEC3 86400 1 1 1 abcd 7Q60LLVA2BT9UCUBVN553Q9S2PF8HO3A 1 7q60llva2bt9ucubvn553q9s2pf8ho38.wtest.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ... 2 . IN OPT 32768 Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 diff --git a/regression-tests/cleandig b/regression-tests/cleandig index 0789f1dd3..c9a14ea26 100755 --- a/regression-tests/cleandig +++ b/regression-tests/cleandig @@ -1,5 +1,8 @@ #!/bin/sh +if [ ! -f $testname/use.drill ] +then ../pdns/sdig $nameserver $port $1 $2 $3 | LC_ALL=C sort +fi ../pdns/nsec3dig $nameserver $port $1 $2 > $testname/nsec3dig.out 2>&1 drill -a -p $port -o rd -D -S -k trustedkeys $1 $2 @$nameserver > $testname/drillchase.out 2>&1 echo RETVAL: $? >> $testname/drillchase.out @@ -12,4 +15,8 @@ then unbound-host -v -C unbound-host.conf -t $2 $1 > $testname/unbound-host.out 2>&1 echo RETVAL: $? >> $testname/unbound-host.out fi +if [ -f $testname/use.drill ] +then + cat $testname/drill.out +fi grep -i bogus $testname/*.out diff --git a/regression-tests/ds-at-unsecure-delegation/expected_result.narrow b/regression-tests/ds-at-unsecure-delegation/expected_result.narrow index addd09961..9f73d5390 100644 --- a/regression-tests/ds-at-unsecure-delegation/expected_result.narrow +++ b/regression-tests/ds-at-unsecure-delegation/expected_result.narrow @@ -1,6 +1,6 @@ 1 example.com. IN RRSIG 86400 SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ... 1 example.com. IN SOA 86400 ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400 -1 t67rqvqprigd7rtb5fah6c3o7g9th3iv.example.com. IN NSEC3 86400 1 1 1 abcd T67RQVQPRIGD7RTB5FAH6C3O7G9TH3J1 NS RRSIG +1 t67rqvqprigd7rtb5fah6c3o7g9th3iv.example.com. IN NSEC3 86400 1 1 1 abcd T67RQVQPRIGD7RTB5FAH6C3O7G9TH3J1 1 t67rqvqprigd7rtb5fah6c3o7g9th3iv.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ... 1 vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com. IN NSEC3 86400 1 1 1 abcd VTNQ6OCN2VKUIV3NJU14OQTAEN2MT5SL NS SOA MX RRSIG DNSKEY NSEC3PARAM 1 vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ... diff --git a/regression-tests/ds-at-unsecure-zone-cut/expected_result.narrow b/regression-tests/ds-at-unsecure-zone-cut/expected_result.narrow index f1f8edd9b..8b9130ea2 100644 --- a/regression-tests/ds-at-unsecure-zone-cut/expected_result.narrow +++ b/regression-tests/ds-at-unsecure-zone-cut/expected_result.narrow @@ -1,4 +1,4 @@ -1 be6iqh4fjrtdhacqk7g3iq96qcvf2qoi.dnssec-parent.com. IN NSEC3 86400 1 1 1 abcd BE6IQH4FJRTDHACQK7G3IQ96QCVF2QOK A NS SOA RRSIG +1 be6iqh4fjrtdhacqk7g3iq96qcvf2qoi.dnssec-parent.com. IN NSEC3 86400 1 1 1 abcd BE6IQH4FJRTDHACQK7G3IQ96QCVF2QOK 1 be6iqh4fjrtdhacqk7g3iq96qcvf2qoi.dnssec-parent.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ... 1 dnssec-parent.com. IN RRSIG 3600 SOA 8 2 3600 [expiry] [inception] [keytag] dnssec-parent.com. ... 1 dnssec-parent.com. IN SOA 3600 ns1.dnssec-parent.com. ahu.example.com. 2005092501 28800 7200 604800 86400 diff --git a/regression-tests/ds-inside-delegation/expected_result.narrow b/regression-tests/ds-inside-delegation/expected_result.narrow index 9f62772b3..e10c2abb7 100644 --- a/regression-tests/ds-inside-delegation/expected_result.narrow +++ b/regression-tests/ds-inside-delegation/expected_result.narrow @@ -1,4 +1,4 @@ -1 t67rqvqprigd7rtb5fah6c3o7g9th3iv.example.com. IN NSEC3 86400 1 1 1 abcd T67RQVQPRIGD7RTB5FAH6C3O7G9TH3J1 NS RRSIG +1 t67rqvqprigd7rtb5fah6c3o7g9th3iv.example.com. IN NSEC3 86400 1 1 1 abcd T67RQVQPRIGD7RTB5FAH6C3O7G9TH3J1 1 usa.example.com. IN NS 120 usa-ns1.usa.example.com. 1 usa.example.com. IN NS 120 usa-ns2.usa.example.com. 1 vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com. IN NSEC3 86400 1 1 1 abcd VTNQ6OCN2VKUIV3NJU14OQTAEN2MT5SL NS SOA MX RRSIG DNSKEY NSEC3PARAM diff --git a/regression-tests/ent-any/command b/regression-tests/ent-any/command new file mode 100755 index 000000000..4c54b850e --- /dev/null +++ b/regression-tests/ent-any/command @@ -0,0 +1,2 @@ +#!/bin/sh +cleandig c.test.com ANY dnssec diff --git a/regression-tests/ent-any/description b/regression-tests/ent-any/description new file mode 100644 index 000000000..b2abf57a4 --- /dev/null +++ b/regression-tests/ent-any/description @@ -0,0 +1 @@ +Check if the empty non-terminal exists (ANY query) diff --git a/regression-tests/ent-any/expected_result b/regression-tests/ent-any/expected_result new file mode 100644 index 000000000..baa54f615 --- /dev/null +++ b/regression-tests/ent-any/expected_result @@ -0,0 +1,7 @@ +1 blah.test.com. IN NSEC 86400 b.c.test.com. NS RRSIG NSEC +1 blah.test.com. IN RRSIG 86400 NSEC 8 3 86400 [expiry] [inception] [keytag] test.com. ... +1 test.com. IN RRSIG 3600 SOA 8 2 3600 [expiry] [inception] [keytag] test.com. ... +1 test.com. IN SOA 3600 ns1.test.com. ahu.example.com. 2005092501 28800 7200 604800 86400 +2 . IN OPT 32768 +Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 +Reply to question for qname='c.test.com.', qtype=ANY diff --git a/regression-tests/ent-any/expected_result.narrow b/regression-tests/ent-any/expected_result.narrow new file mode 100644 index 000000000..5205970c2 --- /dev/null +++ b/regression-tests/ent-any/expected_result.narrow @@ -0,0 +1,7 @@ +1 s6g5shc1jvovl5fl9e943adlonqln7g4.test.com. IN NSEC3 86400 1 1 1 abcd S6G5SHC1JVOVL5FL9E943ADLONQLN7G5 +1 s6g5shc1jvovl5fl9e943adlonqln7g4.test.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ... +1 test.com. IN RRSIG 3600 SOA 8 2 3600 [expiry] [inception] [keytag] test.com. ... +1 test.com. IN SOA 3600 ns1.test.com. ahu.example.com. 2005092501 28800 7200 604800 86400 +2 . IN OPT 32768 +Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 +Reply to question for qname='c.test.com.', qtype=ANY diff --git a/regression-tests/ent-any/expected_result.nsec3 b/regression-tests/ent-any/expected_result.nsec3 new file mode 100644 index 000000000..1cc03b561 --- /dev/null +++ b/regression-tests/ent-any/expected_result.nsec3 @@ -0,0 +1,7 @@ +1 s6g5shc1jvovl5fl9e943adlonqln7g4.test.com. IN NSEC3 86400 1 1 1 abcd SA5VVPQN1COEJGJ3HBKFEKDNII8KKSQA +1 s6g5shc1jvovl5fl9e943adlonqln7g4.test.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ... +1 test.com. IN RRSIG 3600 SOA 8 2 3600 [expiry] [inception] [keytag] test.com. ... +1 test.com. IN SOA 3600 ns1.test.com. ahu.example.com. 2005092501 28800 7200 604800 86400 +2 . IN OPT 32768 +Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 +Reply to question for qname='c.test.com.', qtype=ANY diff --git a/regression-tests/ent-any/skip.nodnssec b/regression-tests/ent-any/skip.nodnssec new file mode 100644 index 000000000..e69de29bb diff --git a/regression-tests/ent-axfr/command b/regression-tests/ent-axfr/command new file mode 100755 index 000000000..6ff578f37 --- /dev/null +++ b/regression-tests/ent-axfr/command @@ -0,0 +1,2 @@ +#!/bin/sh +USEDRILL=1 cleandig test.com AXFR dnssec | grep -P 'IN\tNSEC' | LC_ALL=C sort diff --git a/regression-tests/ent-axfr/description b/regression-tests/ent-axfr/description new file mode 100644 index 000000000..f686869e6 --- /dev/null +++ b/regression-tests/ent-axfr/description @@ -0,0 +1 @@ +Are all NSECx records present in the AXFR output (including empty non-terminals) diff --git a/regression-tests/ent-axfr/expected_result b/regression-tests/ent-axfr/expected_result new file mode 100644 index 000000000..e7c6915e3 --- /dev/null +++ b/regression-tests/ent-axfr/expected_result @@ -0,0 +1,16 @@ +*.a.b.c.test.com. 86400 IN NSEC counter.test.com. A RRSIG NSEC +*.test.test.com. 86400 IN NSEC sub.test.test.com. CNAME RRSIG NSEC +_double._tcp.dc.test.com. 86400 IN NSEC _ldap._tcp.dc.test.com. SRV RRSIG NSEC +_ldap._tcp.dc.test.com. 86400 IN NSEC enum.test.com. SRV RRSIG NSEC +_underscore.test.com. 86400 IN NSEC blah.test.com. TXT RRSIG NSEC +b.c.test.com. 86400 IN NSEC *.a.b.c.test.com. A RRSIG NSEC +blah.test.com. 86400 IN NSEC b.c.test.com. NS RRSIG NSEC +counter.test.com. 86400 IN NSEC _double._tcp.dc.test.com. A RRSIG NSEC +enum.test.com. 86400 IN NSEC server1.test.com. NAPTR RRSIG NSEC +server1.test.com. 86400 IN NSEC *.test.test.com. A RP RRSIG NSEC +sub.test.test.com. 86400 IN NSEC www.test.test.com. NS RRSIG NSEC +test.com. 86400 IN NSEC _underscore.test.com. NS SOA MX RRSIG NSEC DNSKEY +very-long-txt.test.com. 86400 IN NSEC within-server.test.com. TXT RRSIG NSEC +within-server.test.com. 86400 IN NSEC www.test.com. CNAME RRSIG NSEC +www.test.com. 86400 IN NSEC test.com. CNAME RRSIG NSEC +www.test.test.com. 86400 IN NSEC very-long-txt.test.com. A RRSIG NSEC diff --git a/regression-tests/ent-axfr/expected_result.nsec3 b/regression-tests/ent-axfr/expected_result.nsec3 new file mode 100644 index 000000000..1bdb90174 --- /dev/null +++ b/regression-tests/ent-axfr/expected_result.nsec3 @@ -0,0 +1,20 @@ +2eu2gulbu53h9uvhfalshpbo2a83t6l2.test.com. 86400 IN NSEC3 1 1 1 abcd 79u3das6ucctns1br3tvd8qkanni351l NS SOA MX RRSIG DNSKEY NSEC3PARAM +79u3das6ucctns1br3tvd8qkanni351l.test.com. 86400 IN NSEC3 1 1 1 abcd 7mmura8h40be5n4koan7rnmkursamh99 +7mmura8h40be5n4koan7rnmkursamh99.test.com. 86400 IN NSEC3 1 1 1 abcd 88f1bqrb2iscvfel2sqqcksvflnekap6 +88f1bqrb2iscvfel2sqqcksvflnekap6.test.com. 86400 IN NSEC3 1 1 1 abcd a5labagjjevr86gh0hf3jg7nufhga5ar CNAME RRSIG +a5labagjjevr86gh0hf3jg7nufhga5ar.test.com. 86400 IN NSEC3 1 1 1 abcd aovp95mr44hqefrqus6nomsd944bm3vb A RRSIG +aovp95mr44hqefrqus6nomsd944bm3vb.test.com. 86400 IN NSEC3 1 1 1 abcd b022o9dksaj737fh77e7kqqtj3om56ki A RRSIG +b022o9dksaj737fh77e7kqqtj3om56ki.test.com. 86400 IN NSEC3 1 1 1 abcd dafc69cv5n2tfcf6ovbvtv94drgmqjo5 +dafc69cv5n2tfcf6ovbvtv94drgmqjo5.test.com. 86400 IN NSEC3 1 1 1 abcd eban51bjgugorb20unp5peec7s5d2eka TXT RRSIG +eban51bjgugorb20unp5peec7s5d2eka.test.com. 86400 IN NSEC3 1 1 1 abcd h5855rvon2aasm8qv1nk49i1b2mkbejp SRV RRSIG +h5855rvon2aasm8qv1nk49i1b2mkbejp.test.com. 86400 IN NSEC3 1 1 1 abcd iai9hin25meh689r5v5gtifk8om5di0e A RRSIG +iai9hin25meh689r5v5gtifk8om5di0e.test.com. 86400 IN NSEC3 1 1 1 abcd igf4m7otecach14p0a6ingi7dbuas5b2 A RRSIG +igf4m7otecach14p0a6ingi7dbuas5b2.test.com. 86400 IN NSEC3 1 1 1 abcd o1l0fb73hi3qp4a3fnqjsleanlc883i3 A RP RRSIG +o1l0fb73hi3qp4a3fnqjsleanlc883i3.test.com. 86400 IN NSEC3 1 1 1 abcd plud9qqecuril62gcfp8br44i7eoq7c9 TXT RRSIG +plud9qqecuril62gcfp8br44i7eoq7c9.test.com. 86400 IN NSEC3 1 1 1 abcd qd81ag9inqts1ocs7api0pji94k27btr SRV RRSIG +qd81ag9inqts1ocs7api0pji94k27btr.test.com. 86400 IN NSEC3 1 1 1 abcd s6g5shc1jvovl5fl9e943adlonqln7g4 CNAME RRSIG +s6g5shc1jvovl5fl9e943adlonqln7g4.test.com. 86400 IN NSEC3 1 1 1 abcd sa5vvpqn1coejgj3hbkfekdnii8kksqa +sa5vvpqn1coejgj3hbkfekdnii8kksqa.test.com. 86400 IN NSEC3 1 1 1 abcd sra2sm4pl136bultass7qqnlblipe8am NAPTR RRSIG +sra2sm4pl136bultass7qqnlblipe8am.test.com. 86400 IN NSEC3 1 1 1 abcd vlvujatanof6feajoesti9kq4s0crst3 CNAME RRSIG +test.com. 86400 IN NSEC3PARAM 1 0 1 abcd +vlvujatanof6feajoesti9kq4s0crst3.test.com. 86400 IN NSEC3 1 1 1 abcd 2eu2gulbu53h9uvhfalshpbo2a83t6l2 diff --git a/regression-tests/ent-axfr/skip.nodnssec b/regression-tests/ent-axfr/skip.nodnssec new file mode 100644 index 000000000..e69de29bb diff --git a/regression-tests/ent-axfr/use.drill b/regression-tests/ent-axfr/use.drill new file mode 100644 index 000000000..e69de29bb diff --git a/regression-tests/ent-rr-enclosed-in-ent/command b/regression-tests/ent-rr-enclosed-in-ent/command new file mode 100755 index 000000000..64f4fab1d --- /dev/null +++ b/regression-tests/ent-rr-enclosed-in-ent/command @@ -0,0 +1,2 @@ +#!/bin/sh +cleandig b.c.test.com TXT dnssec diff --git a/regression-tests/ent-rr-enclosed-in-ent/description b/regression-tests/ent-rr-enclosed-in-ent/description new file mode 100644 index 000000000..60915782a --- /dev/null +++ b/regression-tests/ent-rr-enclosed-in-ent/description @@ -0,0 +1 @@ +Check NSECx records if a record is enclosed (above and below) in empty-non-terminals. diff --git a/regression-tests/ent-rr-enclosed-in-ent/expected_result b/regression-tests/ent-rr-enclosed-in-ent/expected_result new file mode 100644 index 000000000..720708fe5 --- /dev/null +++ b/regression-tests/ent-rr-enclosed-in-ent/expected_result @@ -0,0 +1,7 @@ +1 b.c.test.com. IN NSEC 86400 *.a.b.c.test.com. A RRSIG NSEC +1 b.c.test.com. IN RRSIG 86400 NSEC 8 4 86400 [expiry] [inception] [keytag] test.com. ... +1 test.com. IN RRSIG 3600 SOA 8 2 3600 [expiry] [inception] [keytag] test.com. ... +1 test.com. IN SOA 3600 ns1.test.com. ahu.example.com. 2005092501 28800 7200 604800 86400 +2 . IN OPT 32768 +Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 +Reply to question for qname='b.c.test.com.', qtype=TXT diff --git a/regression-tests/ent-rr-enclosed-in-ent/expected_result.narrow b/regression-tests/ent-rr-enclosed-in-ent/expected_result.narrow new file mode 100644 index 000000000..1408e9b46 --- /dev/null +++ b/regression-tests/ent-rr-enclosed-in-ent/expected_result.narrow @@ -0,0 +1,7 @@ +1 a5labagjjevr86gh0hf3jg7nufhga5ar.test.com. IN NSEC3 86400 1 1 1 abcd A5LABAGJJEVR86GH0HF3JG7NUFHGA5AS A RRSIG +1 a5labagjjevr86gh0hf3jg7nufhga5ar.test.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ... +1 test.com. IN RRSIG 3600 SOA 8 2 3600 [expiry] [inception] [keytag] test.com. ... +1 test.com. IN SOA 3600 ns1.test.com. ahu.example.com. 2005092501 28800 7200 604800 86400 +2 . IN OPT 32768 +Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 +Reply to question for qname='b.c.test.com.', qtype=TXT diff --git a/regression-tests/ent-rr-enclosed-in-ent/expected_result.nsec3 b/regression-tests/ent-rr-enclosed-in-ent/expected_result.nsec3 new file mode 100644 index 000000000..9c10fb90c --- /dev/null +++ b/regression-tests/ent-rr-enclosed-in-ent/expected_result.nsec3 @@ -0,0 +1,7 @@ +1 a5labagjjevr86gh0hf3jg7nufhga5ar.test.com. IN NSEC3 86400 1 1 1 abcd AOVP95MR44HQEFRQUS6NOMSD944BM3VB A RRSIG +1 a5labagjjevr86gh0hf3jg7nufhga5ar.test.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ... +1 test.com. IN RRSIG 3600 SOA 8 2 3600 [expiry] [inception] [keytag] test.com. ... +1 test.com. IN SOA 3600 ns1.test.com. ahu.example.com. 2005092501 28800 7200 604800 86400 +2 . IN OPT 32768 +Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 +Reply to question for qname='b.c.test.com.', qtype=TXT diff --git a/regression-tests/ent-rr-enclosed-in-ent/skip.nodnssec b/regression-tests/ent-rr-enclosed-in-ent/skip.nodnssec new file mode 100644 index 000000000..e69de29bb diff --git a/regression-tests/ent-soa/command b/regression-tests/ent-soa/command new file mode 100755 index 000000000..554149de3 --- /dev/null +++ b/regression-tests/ent-soa/command @@ -0,0 +1,2 @@ +#!/bin/sh +cleandig c.test.com SOA dnssec diff --git a/regression-tests/ent-soa/description b/regression-tests/ent-soa/description new file mode 100644 index 000000000..3fdd3d26c --- /dev/null +++ b/regression-tests/ent-soa/description @@ -0,0 +1 @@ +Check if the empty non-terminal exists (SOA query) diff --git a/regression-tests/ent-soa/expected_result b/regression-tests/ent-soa/expected_result new file mode 100644 index 000000000..862bcffef --- /dev/null +++ b/regression-tests/ent-soa/expected_result @@ -0,0 +1,7 @@ +1 blah.test.com. IN NSEC 86400 b.c.test.com. NS RRSIG NSEC +1 blah.test.com. IN RRSIG 86400 NSEC 8 3 86400 [expiry] [inception] [keytag] test.com. ... +1 test.com. IN RRSIG 3600 SOA 8 2 3600 [expiry] [inception] [keytag] test.com. ... +1 test.com. IN SOA 3600 ns1.test.com. ahu.example.com. 2005092501 28800 7200 604800 86400 +2 . IN OPT 32768 +Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 +Reply to question for qname='c.test.com.', qtype=SOA diff --git a/regression-tests/ent-soa/expected_result.narrow b/regression-tests/ent-soa/expected_result.narrow new file mode 100644 index 000000000..43adea918 --- /dev/null +++ b/regression-tests/ent-soa/expected_result.narrow @@ -0,0 +1,7 @@ +1 s6g5shc1jvovl5fl9e943adlonqln7g4.test.com. IN NSEC3 86400 1 1 1 abcd S6G5SHC1JVOVL5FL9E943ADLONQLN7G5 +1 s6g5shc1jvovl5fl9e943adlonqln7g4.test.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ... +1 test.com. IN RRSIG 3600 SOA 8 2 3600 [expiry] [inception] [keytag] test.com. ... +1 test.com. IN SOA 3600 ns1.test.com. ahu.example.com. 2005092501 28800 7200 604800 86400 +2 . IN OPT 32768 +Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 +Reply to question for qname='c.test.com.', qtype=SOA diff --git a/regression-tests/ent-soa/expected_result.nsec3 b/regression-tests/ent-soa/expected_result.nsec3 new file mode 100644 index 000000000..a9eac7b75 --- /dev/null +++ b/regression-tests/ent-soa/expected_result.nsec3 @@ -0,0 +1,7 @@ +1 s6g5shc1jvovl5fl9e943adlonqln7g4.test.com. IN NSEC3 86400 1 1 1 abcd SA5VVPQN1COEJGJ3HBKFEKDNII8KKSQA +1 s6g5shc1jvovl5fl9e943adlonqln7g4.test.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ... +1 test.com. IN RRSIG 3600 SOA 8 2 3600 [expiry] [inception] [keytag] test.com. ... +1 test.com. IN SOA 3600 ns1.test.com. ahu.example.com. 2005092501 28800 7200 604800 86400 +2 . IN OPT 32768 +Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 +Reply to question for qname='c.test.com.', qtype=SOA diff --git a/regression-tests/ent-soa/skip.nodnssec b/regression-tests/ent-soa/skip.nodnssec new file mode 100644 index 000000000..e69de29bb diff --git a/regression-tests/ent-wildcard-below-ent/command b/regression-tests/ent-wildcard-below-ent/command new file mode 100755 index 000000000..54a72e896 --- /dev/null +++ b/regression-tests/ent-wildcard-below-ent/command @@ -0,0 +1,2 @@ +#!/bin/sh +cleandig something.a.b.c.test.com A dnssec diff --git a/regression-tests/ent-wildcard-below-ent/description b/regression-tests/ent-wildcard-below-ent/description new file mode 100644 index 000000000..de9da1617 --- /dev/null +++ b/regression-tests/ent-wildcard-below-ent/description @@ -0,0 +1 @@ +Check RRSIG label count if there are empty non-terminals involved diff --git a/regression-tests/ent-wildcard-below-ent/expected_result b/regression-tests/ent-wildcard-below-ent/expected_result new file mode 100644 index 000000000..6f1d98a0e --- /dev/null +++ b/regression-tests/ent-wildcard-below-ent/expected_result @@ -0,0 +1,7 @@ +0 something.a.b.c.test.com. IN A 3600 8.7.6.5 +0 something.a.b.c.test.com. IN RRSIG 3600 A 8 5 3600 [expiry] [inception] [keytag] test.com. ... +1 *.a.b.c.test.com. IN NSEC 86400 counter.test.com. A RRSIG NSEC +1 *.a.b.c.test.com. IN RRSIG 86400 NSEC 8 5 86400 [expiry] [inception] [keytag] test.com. ... +2 . IN OPT 32768 +Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 +Reply to question for qname='something.a.b.c.test.com.', qtype=A diff --git a/regression-tests/ent-wildcard-below-ent/expected_result.narrow b/regression-tests/ent-wildcard-below-ent/expected_result.narrow new file mode 100644 index 000000000..431d99fe4 --- /dev/null +++ b/regression-tests/ent-wildcard-below-ent/expected_result.narrow @@ -0,0 +1,7 @@ +0 something.a.b.c.test.com. IN A 3600 8.7.6.5 +0 something.a.b.c.test.com. IN RRSIG 3600 A 8 5 3600 [expiry] [inception] [keytag] test.com. ... +1 qjeirdhb04ir4vbs5pbbhbue69dlq9nr.test.com. IN NSEC3 86400 1 1 1 abcd QJEIRDHB04IR4VBS5PBBHBUE69DLQ9NT +1 qjeirdhb04ir4vbs5pbbhbue69dlq9nr.test.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ... +2 . IN OPT 32768 +Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 +Reply to question for qname='something.a.b.c.test.com.', qtype=A diff --git a/regression-tests/ent-wildcard-below-ent/expected_result.nsec3 b/regression-tests/ent-wildcard-below-ent/expected_result.nsec3 new file mode 100644 index 000000000..45bd63917 --- /dev/null +++ b/regression-tests/ent-wildcard-below-ent/expected_result.nsec3 @@ -0,0 +1,7 @@ +0 something.a.b.c.test.com. IN A 3600 8.7.6.5 +0 something.a.b.c.test.com. IN RRSIG 3600 A 8 5 3600 [expiry] [inception] [keytag] test.com. ... +1 qd81ag9inqts1ocs7api0pji94k27btr.test.com. IN NSEC3 86400 1 1 1 abcd S6G5SHC1JVOVL5FL9E943ADLONQLN7G4 CNAME RRSIG +1 qd81ag9inqts1ocs7api0pji94k27btr.test.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ... +2 . IN OPT 32768 +Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 +Reply to question for qname='something.a.b.c.test.com.', qtype=A diff --git a/regression-tests/ent-wildcard-below-ent/skip.nodnssec b/regression-tests/ent-wildcard-below-ent/skip.nodnssec new file mode 100644 index 000000000..e69de29bb diff --git a/regression-tests/ent/command b/regression-tests/ent/command new file mode 100755 index 000000000..2c9876bdf --- /dev/null +++ b/regression-tests/ent/command @@ -0,0 +1,2 @@ +#!/bin/sh +cleandig c.test.com A dnssec diff --git a/regression-tests/ent/description b/regression-tests/ent/description new file mode 100644 index 000000000..25296cfef --- /dev/null +++ b/regression-tests/ent/description @@ -0,0 +1 @@ +Check if the empty non-terminal exists (A query) diff --git a/regression-tests/ent/expected_result b/regression-tests/ent/expected_result new file mode 100644 index 000000000..4400426c6 --- /dev/null +++ b/regression-tests/ent/expected_result @@ -0,0 +1,7 @@ +1 blah.test.com. IN NSEC 86400 b.c.test.com. NS RRSIG NSEC +1 blah.test.com. IN RRSIG 86400 NSEC 8 3 86400 [expiry] [inception] [keytag] test.com. ... +1 test.com. IN RRSIG 3600 SOA 8 2 3600 [expiry] [inception] [keytag] test.com. ... +1 test.com. IN SOA 3600 ns1.test.com. ahu.example.com. 2005092501 28800 7200 604800 86400 +2 . IN OPT 32768 +Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 +Reply to question for qname='c.test.com.', qtype=A diff --git a/regression-tests/ent/expected_result.narrow b/regression-tests/ent/expected_result.narrow new file mode 100644 index 000000000..80c8ba8c3 --- /dev/null +++ b/regression-tests/ent/expected_result.narrow @@ -0,0 +1,7 @@ +1 s6g5shc1jvovl5fl9e943adlonqln7g4.test.com. IN NSEC3 86400 1 1 1 abcd S6G5SHC1JVOVL5FL9E943ADLONQLN7G5 +1 s6g5shc1jvovl5fl9e943adlonqln7g4.test.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ... +1 test.com. IN RRSIG 3600 SOA 8 2 3600 [expiry] [inception] [keytag] test.com. ... +1 test.com. IN SOA 3600 ns1.test.com. ahu.example.com. 2005092501 28800 7200 604800 86400 +2 . IN OPT 32768 +Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 +Reply to question for qname='c.test.com.', qtype=A diff --git a/regression-tests/ent/expected_result.nsec3 b/regression-tests/ent/expected_result.nsec3 new file mode 100644 index 000000000..a4e0734ce --- /dev/null +++ b/regression-tests/ent/expected_result.nsec3 @@ -0,0 +1,7 @@ +1 s6g5shc1jvovl5fl9e943adlonqln7g4.test.com. IN NSEC3 86400 1 1 1 abcd SA5VVPQN1COEJGJ3HBKFEKDNII8KKSQA +1 s6g5shc1jvovl5fl9e943adlonqln7g4.test.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ... +1 test.com. IN RRSIG 3600 SOA 8 2 3600 [expiry] [inception] [keytag] test.com. ... +1 test.com. IN SOA 3600 ns1.test.com. ahu.example.com. 2005092501 28800 7200 604800 86400 +2 . IN OPT 32768 +Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 +Reply to question for qname='c.test.com.', qtype=A diff --git a/regression-tests/ent/skip.nodnssec b/regression-tests/ent/skip.nodnssec new file mode 100644 index 000000000..e69de29bb diff --git a/regression-tests/five-levels-wildcard-one-below-apex/expected_result.narrow b/regression-tests/five-levels-wildcard-one-below-apex/expected_result.narrow index a3a2083fc..c2928f31a 100644 --- a/regression-tests/five-levels-wildcard-one-below-apex/expected_result.narrow +++ b/regression-tests/five-levels-wildcard-one-below-apex/expected_result.narrow @@ -1,6 +1,6 @@ 0 www.a.b.c.d.e.something.wtest.com. IN A 3600 4.3.2.1 0 www.a.b.c.d.e.something.wtest.com. IN RRSIG 3600 A 8 3 3600 [expiry] [inception] [keytag] wtest.com. ... -1 pqgjjrj5si55uc1208gt1hp1k217fhqu.wtest.com. IN NSEC3 86400 1 1 1 abcd PQGJJRJ5SI55UC1208GT1HP1K217FHR0 RRSIG +1 pqgjjrj5si55uc1208gt1hp1k217fhqu.wtest.com. IN NSEC3 86400 1 1 1 abcd PQGJJRJ5SI55UC1208GT1HP1K217FHR0 1 pqgjjrj5si55uc1208gt1hp1k217fhqu.wtest.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ... 2 . IN OPT 32768 Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 diff --git a/regression-tests/five-levels-wildcard/expected_result.narrow b/regression-tests/five-levels-wildcard/expected_result.narrow index 42a06912e..2c086cb3e 100644 --- a/regression-tests/five-levels-wildcard/expected_result.narrow +++ b/regression-tests/five-levels-wildcard/expected_result.narrow @@ -1,6 +1,6 @@ 0 www.a.b.c.d.e.wtest.com. IN A 3600 6.7.8.9 0 www.a.b.c.d.e.wtest.com. IN RRSIG 3600 A 8 7 3600 [expiry] [inception] [keytag] wtest.com. ... -1 pet5iqbgccga60p2n38nmuanrk50papg.wtest.com. IN NSEC3 86400 1 1 1 abcd PET5IQBGCCGA60P2N38NMUANRK50PAPI RRSIG +1 pet5iqbgccga60p2n38nmuanrk50papg.wtest.com. IN NSEC3 86400 1 1 1 abcd PET5IQBGCCGA60P2N38NMUANRK50PAPI 1 pet5iqbgccga60p2n38nmuanrk50papg.wtest.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ... 2 . IN OPT 32768 Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 diff --git a/regression-tests/minimal-nxdomain/expected_result.narrow b/regression-tests/minimal-nxdomain/expected_result.narrow index f0c15c31d..ed29f92c1 100644 --- a/regression-tests/minimal-nxdomain/expected_result.narrow +++ b/regression-tests/minimal-nxdomain/expected_result.narrow @@ -1,3 +1,3 @@ 1 09lo11rs63u9b3d538a86ijvqcqt9312.minimal.com. IN NSEC3 86400 1 1 1 abcd 09LO11RS63U9B3D538A86IJVQCQT9313 NS SOA RRSIG DNSKEY NSEC3PARAM -1 8hki26qt36v6qs8cll4e4nvjit38uhap.minimal.com. IN NSEC3 86400 1 1 1 abcd 8HKI26QT36V6QS8CLL4E4NVJIT38UHAR RRSIG -1 9oadfe8c55evko75kb06spdl23p4fmrh.minimal.com. IN NSEC3 86400 1 1 1 abcd 9OADFE8C55EVKO75KB06SPDL23P4FMRJ RRSIG +1 8hki26qt36v6qs8cll4e4nvjit38uhap.minimal.com. IN NSEC3 86400 1 1 1 abcd 8HKI26QT36V6QS8CLL4E4NVJIT38UHAR +1 9oadfe8c55evko75kb06spdl23p4fmrh.minimal.com. IN NSEC3 86400 1 1 1 abcd 9OADFE8C55EVKO75KB06SPDL23P4FMRJ diff --git a/regression-tests/nsec-glue-at-delegation/expected_result b/regression-tests/nsec-glue-at-delegation/expected_result index 6a223b6de..29dffa737 100644 --- a/regression-tests/nsec-glue-at-delegation/expected_result +++ b/regression-tests/nsec-glue-at-delegation/expected_result @@ -1,5 +1,5 @@ 1 blah.test.com. IN NS 3600 blah.test.com. -1 blah.test.com. IN NSEC 86400 counter.test.com. NS RRSIG NSEC +1 blah.test.com. IN NSEC 86400 b.c.test.com. NS RRSIG NSEC 1 blah.test.com. IN RRSIG 86400 NSEC 8 3 86400 [expiry] [inception] [keytag] test.com. ... 2 . IN OPT 32768 2 blah.test.com. IN A 3600 192.168.6.1 diff --git a/regression-tests/nsec-glue-at-delegation/expected_result.narrow b/regression-tests/nsec-glue-at-delegation/expected_result.narrow index 88e1d7f56..78cb4a233 100644 --- a/regression-tests/nsec-glue-at-delegation/expected_result.narrow +++ b/regression-tests/nsec-glue-at-delegation/expected_result.narrow @@ -1,7 +1,7 @@ 1 2eu2gulbu53h9uvhfalshpbo2a83t6l2.test.com. IN NSEC3 86400 1 1 1 abcd 2EU2GULBU53H9UVHFALSHPBO2A83T6L3 NS SOA MX RRSIG DNSKEY NSEC3PARAM 1 2eu2gulbu53h9uvhfalshpbo2a83t6l2.test.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ... 1 blah.test.com. IN NS 3600 blah.test.com. -1 s96h2qicbt8d9i5aa43kp8sjjresq4ka.test.com. IN NSEC3 86400 1 1 1 abcd S96H2QICBT8D9I5AA43KP8SJJRESQ4KC A NS RRSIG +1 s96h2qicbt8d9i5aa43kp8sjjresq4ka.test.com. IN NSEC3 86400 1 1 1 abcd S96H2QICBT8D9I5AA43KP8SJJRESQ4KC 1 s96h2qicbt8d9i5aa43kp8sjjresq4ka.test.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ... 2 . IN OPT 32768 2 blah.test.com. IN A 3600 192.168.6.1 diff --git a/regression-tests/nsec-glue-at-delegation/expected_result.nsec3 b/regression-tests/nsec-glue-at-delegation/expected_result.nsec3 index 81624823b..c290970e5 100644 --- a/regression-tests/nsec-glue-at-delegation/expected_result.nsec3 +++ b/regression-tests/nsec-glue-at-delegation/expected_result.nsec3 @@ -1,8 +1,8 @@ -1 2eu2gulbu53h9uvhfalshpbo2a83t6l2.test.com. IN NSEC3 86400 1 1 1 abcd 88F1BQRB2ISCVFEL2SQQCKSVFLNEKAP6 NS SOA MX RRSIG DNSKEY NSEC3PARAM +1 2eu2gulbu53h9uvhfalshpbo2a83t6l2.test.com. IN NSEC3 86400 1 1 1 abcd 79U3DAS6UCCTNS1BR3TVD8QKANNI351L NS SOA MX RRSIG DNSKEY NSEC3PARAM 1 2eu2gulbu53h9uvhfalshpbo2a83t6l2.test.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ... 1 blah.test.com. IN NS 3600 blah.test.com. -1 qd81ag9inqts1ocs7api0pji94k27btr.test.com. IN NSEC3 86400 1 1 1 abcd SA5VVPQN1COEJGJ3HBKFEKDNII8KKSQA CNAME RRSIG -1 qd81ag9inqts1ocs7api0pji94k27btr.test.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ... +1 s6g5shc1jvovl5fl9e943adlonqln7g4.test.com. IN NSEC3 86400 1 1 1 abcd SA5VVPQN1COEJGJ3HBKFEKDNII8KKSQA +1 s6g5shc1jvovl5fl9e943adlonqln7g4.test.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ... 2 . IN OPT 32768 2 blah.test.com. IN A 3600 192.168.6.1 Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 0, opcode: 0 diff --git a/regression-tests/nsec-glue/expected_result.narrow b/regression-tests/nsec-glue/expected_result.narrow index 6a1c2d557..a2bf76ad4 100644 --- a/regression-tests/nsec-glue/expected_result.narrow +++ b/regression-tests/nsec-glue/expected_result.narrow @@ -1,8 +1,8 @@ -1 9fag9508oqu3m22qac0u5eqgg45v8cf0.example.com. IN NSEC3 86400 1 1 1 abcd 9FAG9508OQU3M22QAC0U5EQGG45V8CF2 RRSIG +1 9fag9508oqu3m22qac0u5eqgg45v8cf0.example.com. IN NSEC3 86400 1 1 1 abcd 9FAG9508OQU3M22QAC0U5EQGG45V8CF2 1 9fag9508oqu3m22qac0u5eqgg45v8cf0.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ... 1 example.com. IN RRSIG 86400 SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ... 1 example.com. IN SOA 86400 ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400 -1 kt3ll2fgp7p2s71mk7frk5igi8pc8gl1.example.com. IN NSEC3 86400 1 1 1 abcd KT3LL2FGP7P2S71MK7FRK5IGI8PC8GL3 RRSIG +1 kt3ll2fgp7p2s71mk7frk5igi8pc8gl1.example.com. IN NSEC3 86400 1 1 1 abcd KT3LL2FGP7P2S71MK7FRK5IGI8PC8GL3 1 kt3ll2fgp7p2s71mk7frk5igi8pc8gl1.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ... 1 vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com. IN NSEC3 86400 1 1 1 abcd VTNQ6OCN2VKUIV3NJU14OQTAEN2MT5SL NS SOA MX RRSIG DNSKEY NSEC3PARAM 1 vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ... diff --git a/regression-tests/nsec-middle/expected_result.narrow b/regression-tests/nsec-middle/expected_result.narrow index 0db51e55c..bd6a24a87 100644 --- a/regression-tests/nsec-middle/expected_result.narrow +++ b/regression-tests/nsec-middle/expected_result.narrow @@ -1,8 +1,8 @@ -1 9fag9508oqu3m22qac0u5eqgg45v8cf0.example.com. IN NSEC3 86400 1 1 1 abcd 9FAG9508OQU3M22QAC0U5EQGG45V8CF2 RRSIG +1 9fag9508oqu3m22qac0u5eqgg45v8cf0.example.com. IN NSEC3 86400 1 1 1 abcd 9FAG9508OQU3M22QAC0U5EQGG45V8CF2 1 9fag9508oqu3m22qac0u5eqgg45v8cf0.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ... 1 example.com. IN RRSIG 86400 SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ... 1 example.com. IN SOA 86400 ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400 -1 sthvu2kihc96kc1tu8v3curr8og5dghn.example.com. IN NSEC3 86400 1 1 1 abcd STHVU2KIHC96KC1TU8V3CURR8OG5DGHP RRSIG +1 sthvu2kihc96kc1tu8v3curr8og5dghn.example.com. IN NSEC3 86400 1 1 1 abcd STHVU2KIHC96KC1TU8V3CURR8OG5DGHP 1 sthvu2kihc96kc1tu8v3curr8og5dghn.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ... 1 vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com. IN NSEC3 86400 1 1 1 abcd VTNQ6OCN2VKUIV3NJU14OQTAEN2MT5SL NS SOA MX RRSIG DNSKEY NSEC3PARAM 1 vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ... diff --git a/regression-tests/nsec-wildcard/expected_result.narrow b/regression-tests/nsec-wildcard/expected_result.narrow index da2aca705..d7d9fa548 100644 --- a/regression-tests/nsec-wildcard/expected_result.narrow +++ b/regression-tests/nsec-wildcard/expected_result.narrow @@ -1,4 +1,4 @@ -1 368r0s1q794jmkdrcpf6f85v316hd9ak.wtest.com. IN NSEC3 86400 1 1 1 abcd 368R0S1Q794JMKDRCPF6F85V316HD9AM RRSIG +1 368r0s1q794jmkdrcpf6f85v316hd9ak.wtest.com. IN NSEC3 86400 1 1 1 abcd 368R0S1Q794JMKDRCPF6F85V316HD9AM 1 368r0s1q794jmkdrcpf6f85v316hd9ak.wtest.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ... 1 54njs65s8u96tkffrft6l7j1t1556vik.wtest.com. IN NSEC3 86400 1 1 1 abcd 54NJS65S8U96TKFFRFT6L7J1T1556VIL TXT RRSIG 1 54njs65s8u96tkffrft6l7j1t1556vik.wtest.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ... diff --git a/regression-tests/nxdomain-below-nonempty-terminal/expected_result.narrow b/regression-tests/nxdomain-below-nonempty-terminal/expected_result.narrow index e48b9b515..eedcaaffb 100644 --- a/regression-tests/nxdomain-below-nonempty-terminal/expected_result.narrow +++ b/regression-tests/nxdomain-below-nonempty-terminal/expected_result.narrow @@ -2,9 +2,9 @@ 1 5uvgfm2vjcje09svs7lfb22i1uuqjf98.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ... 1 example.com. IN RRSIG 86400 SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ... 1 example.com. IN SOA 86400 ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400 -1 sdgbafmjek5v4t8c89q9u0n03qmcslor.example.com. IN NSEC3 86400 1 1 1 abcd SDGBAFMJEK5V4T8C89Q9U0N03QMCSLOT RRSIG +1 sdgbafmjek5v4t8c89q9u0n03qmcslor.example.com. IN NSEC3 86400 1 1 1 abcd SDGBAFMJEK5V4T8C89Q9U0N03QMCSLOT 1 sdgbafmjek5v4t8c89q9u0n03qmcslor.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ... -1 tsdp8hajlfgr90cv4ib634g1m25nc5up.example.com. IN NSEC3 86400 1 1 1 abcd TSDP8HAJLFGR90CV4IB634G1M25NC5UR RRSIG +1 tsdp8hajlfgr90cv4ib634g1m25nc5up.example.com. IN NSEC3 86400 1 1 1 abcd TSDP8HAJLFGR90CV4IB634G1M25NC5UR 1 tsdp8hajlfgr90cv4ib634g1m25nc5up.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ... 2 . IN OPT 32768 Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 diff --git a/regression-tests/second-level-nxdomain/expected_result.narrow b/regression-tests/second-level-nxdomain/expected_result.narrow index 286acc621..1145e1d90 100644 --- a/regression-tests/second-level-nxdomain/expected_result.narrow +++ b/regression-tests/second-level-nxdomain/expected_result.narrow @@ -2,9 +2,9 @@ 1 5uvgfm2vjcje09svs7lfb22i1uuqjf98.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ... 1 example.com. IN RRSIG 86400 SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ... 1 example.com. IN SOA 86400 ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400 -1 k6ta8mhi455hk3jskn0b2st81j6fa1l0.example.com. IN NSEC3 86400 1 1 1 abcd K6TA8MHI455HK3JSKN0B2ST81J6FA1L2 RRSIG +1 k6ta8mhi455hk3jskn0b2st81j6fa1l0.example.com. IN NSEC3 86400 1 1 1 abcd K6TA8MHI455HK3JSKN0B2ST81J6FA1L2 1 k6ta8mhi455hk3jskn0b2st81j6fa1l0.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ... -1 tsdp8hajlfgr90cv4ib634g1m25nc5up.example.com. IN NSEC3 86400 1 1 1 abcd TSDP8HAJLFGR90CV4IB634G1M25NC5UR RRSIG +1 tsdp8hajlfgr90cv4ib634g1m25nc5up.example.com. IN NSEC3 86400 1 1 1 abcd TSDP8HAJLFGR90CV4IB634G1M25NC5UR 1 tsdp8hajlfgr90cv4ib634g1m25nc5up.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ... 2 . IN OPT 32768 Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 diff --git a/regression-tests/start-test-stop b/regression-tests/start-test-stop index 8dbbda92a..bf1fce0ec 100755 --- a/regression-tests/start-test-stop +++ b/regression-tests/start-test-stop @@ -389,4 +389,4 @@ then read l fi kill $(cat pdns*.pid) -rm pdns*.pid \ No newline at end of file +rm pdns*.pid diff --git a/regression-tests/test.com b/regression-tests/test.com index 79db956df..63e3ef6af 100644 --- a/regression-tests/test.com +++ b/regression-tests/test.com @@ -29,3 +29,5 @@ blah IN A 192.168.6.1 very-long-txt IN TXT "A very long TXT record! boy you won't believe how long. A very long TXT record! boy you won't believe how long. A very long TXT record! boy you won't believe how long. A very long TXT record! boy you won't believe how long. A very long TXT record! boy you won't believe how long!" within-server IN CNAME outpost.example.com. _underscore IN TXT "underscores are terrible" +b.c IN A 5.6.7.8 +*.a.b.c IN A 8.7.6.5 diff --git a/regression-tests/two-level-nxdomain/expected_result.narrow b/regression-tests/two-level-nxdomain/expected_result.narrow index 46383544f..1f16385a9 100644 --- a/regression-tests/two-level-nxdomain/expected_result.narrow +++ b/regression-tests/two-level-nxdomain/expected_result.narrow @@ -1,6 +1,6 @@ -1 9fag9508oqu3m22qac0u5eqgg45v8cf0.example.com. IN NSEC3 86400 1 1 1 abcd 9FAG9508OQU3M22QAC0U5EQGG45V8CF2 RRSIG +1 9fag9508oqu3m22qac0u5eqgg45v8cf0.example.com. IN NSEC3 86400 1 1 1 abcd 9FAG9508OQU3M22QAC0U5EQGG45V8CF2 1 9fag9508oqu3m22qac0u5eqgg45v8cf0.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ... -1 ectnliqstqsjnnrpuhjj5h0j3c3odkk3.example.com. IN NSEC3 86400 1 1 1 abcd ECTNLIQSTQSJNNRPUHJJ5H0J3C3ODKK5 RRSIG +1 ectnliqstqsjnnrpuhjj5h0j3c3odkk3.example.com. IN NSEC3 86400 1 1 1 abcd ECTNLIQSTQSJNNRPUHJJ5H0J3C3ODKK5 1 ectnliqstqsjnnrpuhjj5h0j3c3odkk3.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ... 1 example.com. IN RRSIG 86400 SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ... 1 example.com. IN SOA 86400 ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400 diff --git a/regression-tests/underscore-sorting/expected_result.narrow b/regression-tests/underscore-sorting/expected_result.narrow index 33f671b38..8e1056a8f 100644 --- a/regression-tests/underscore-sorting/expected_result.narrow +++ b/regression-tests/underscore-sorting/expected_result.narrow @@ -1,3 +1,3 @@ 1 2eu2gulbu53h9uvhfalshpbo2a83t6l2.test.com. IN NSEC3 86400 1 1 1 abcd 2EU2GULBU53H9UVHFALSHPBO2A83T6L3 NS SOA MX RRSIG DNSKEY NSEC3PARAM -1 npce7etkesd3umcst08psfape1cnno5o.test.com. IN NSEC3 86400 1 1 1 abcd NPCE7ETKESD3UMCST08PSFAPE1CNNO5Q RRSIG -1 nqf0papl2qmp38upr87f930kmebc0o0n.test.com. IN NSEC3 86400 1 1 1 abcd NQF0PAPL2QMP38UPR87F930KMEBC0O0P RRSIG +1 npce7etkesd3umcst08psfape1cnno5o.test.com. IN NSEC3 86400 1 1 1 abcd NPCE7ETKESD3UMCST08PSFAPE1CNNO5Q +1 nqf0papl2qmp38upr87f930kmebc0o0n.test.com. IN NSEC3 86400 1 1 1 abcd NQF0PAPL2QMP38UPR87F930KMEBC0O0P diff --git a/regression-tests/underscore-sorting/expected_result.nsec3 b/regression-tests/underscore-sorting/expected_result.nsec3 index ecd2d3a36..3f24c777c 100644 --- a/regression-tests/underscore-sorting/expected_result.nsec3 +++ b/regression-tests/underscore-sorting/expected_result.nsec3 @@ -1,2 +1,2 @@ -1 2eu2gulbu53h9uvhfalshpbo2a83t6l2.test.com. IN NSEC3 86400 1 1 1 abcd 88F1BQRB2ISCVFEL2SQQCKSVFLNEKAP6 NS SOA MX RRSIG DNSKEY NSEC3PARAM +1 2eu2gulbu53h9uvhfalshpbo2a83t6l2.test.com. IN NSEC3 86400 1 1 1 abcd 79U3DAS6UCCTNS1BR3TVD8QKANNI351L NS SOA MX RRSIG DNSKEY NSEC3PARAM 1 igf4m7otecach14p0a6ingi7dbuas5b2.test.com. IN NSEC3 86400 1 1 1 abcd O1L0FB73HI3QP4A3FNQJSLEANLC883I3 A RP RRSIG -- 2.40.0