From e44d76b69146bf7f537b530d57e8051d8ef3acd5 Mon Sep 17 00:00:00 2001 From: Kees Monshouwer Date: Fri, 24 Jul 2015 16:28:02 +0200 Subject: [PATCH] limit NSEC3 iterations in bindbackend and some cleanup --- modules/bindbackend/bindbackend2.hh | 15 +-- modules/bindbackend/binddnssec.cc | 140 +++++++++++++--------------- 2 files changed, 74 insertions(+), 81 deletions(-) diff --git a/modules/bindbackend/bindbackend2.hh b/modules/bindbackend/bindbackend2.hh index b03c7d623..3794c091a 100644 --- a/modules/bindbackend/bindbackend2.hh +++ b/modules/bindbackend/bindbackend2.hh @@ -47,9 +47,12 @@ using namespace ::boost::multi_index; -/** This struct is used within the Bind2Backend to store DNS information. - It is almost identical to a DNSResourceRecord, but then a bit smaller and with different sorting rules, which make sure that the SOA record comes up front. +/** + This struct is used within the Bind2Backend to store DNS information. It is + almost identical to a DNSResourceRecord, but then a bit smaller and with + different sorting rules, which make sure that the SOA record comes up front. */ + struct Bind2DNSRecord { DNSName qname; @@ -87,8 +90,8 @@ struct HashedTag{}; typedef multi_index_container< Bind2DNSRecord, indexed_by < - ordered_non_unique, Bind2DNSCompare >, - ordered_non_unique, member > + ordered_non_unique, Bind2DNSCompare >, + ordered_non_unique, member > > > recordstorage_t; @@ -226,7 +229,7 @@ public: static pthread_rwlock_t s_state_lock; void parseZoneFile(BB2DomainInfo *bbd); - void insertRecord(BB2DomainInfo& bbd, const DNSName& qname, const QType &qtype, const string &content, int ttl, const std::string& hashed=string(), bool *auth=0); + void insertRecord(BB2DomainInfo& bbd, const DNSName &qname, const QType &qtype, const string &content, int ttl, const std::string& hashed=string(), bool *auth=0); void rediscover(string *status=0); bool isMaster(const DNSName &name, const string &ip); @@ -247,7 +250,7 @@ private: static bool safeRemoveBBDomainInfo(const DNSName& name); bool GetBBDomainInfo(int id, BB2DomainInfo** bbd); shared_ptr d_dnssecdb; - bool getNSEC3PARAM(const DNSName& zname, NSEC3PARAMRecordContent* ns3p); + bool getNSEC3PARAM(const DNSName& name, NSEC3PARAMRecordContent* ns3p); class handle { public: diff --git a/modules/bindbackend/binddnssec.cc b/modules/bindbackend/binddnssec.cc index 892eab4a0..2660439d8 100644 --- a/modules/bindbackend/binddnssec.cc +++ b/modules/bindbackend/binddnssec.cc @@ -19,16 +19,16 @@ along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */ + #ifdef HAVE_CONFIG_H #include "config.h" #endif #include "bindbackend2.hh" -#include "pdns/dnsrecords.hh" -#include "pdns/bind-dnssec.schema.sqlite3.sql.h" -#include #include "pdns/arguments.hh" +#include "pdns/dnsrecords.hh" #ifndef HAVE_SQLITE3 + void Bind2Backend::setupDNSSEC() { if(!getArg("dnssec-db").empty()) @@ -38,7 +38,7 @@ void Bind2Backend::setupDNSSEC() bool Bind2Backend::doesDNSSEC() { return d_hybrid; } -bool Bind2Backend::getNSEC3PARAM(const DNSName& zname, NSEC3PARAMRecordContent* ns3p) +bool Bind2Backend::getNSEC3PARAM(const DNSName& name, NSEC3PARAMRecordContent* ns3p) { return false; } bool Bind2Backend::getAllDomainMetadata(const DNSName& name, std::map >& meta) @@ -74,19 +74,23 @@ bool Bind2Backend::setTSIGKey(const DNSName& name, const DNSName& algorithm, con bool Bind2Backend::deleteTSIGKey(const DNSName& name) { return false; } -bool Bind2Backend::getTSIGKeys(std::vector< struct TSIGKey > &keys) +bool Bind2Backend::getTSIGKeys(std::vector &keys) { return false; } -void Bind2Backend::setupStatements() + +void Bind2Backend::setupStatements() { return; } + void Bind2Backend::freeStatements() { return; } #else +#include "pdns/bind-dnssec.schema.sqlite3.sql.h" +#include "pdns/logger.hh" #include "pdns/ssqlite3.hh" + void Bind2Backend::setupDNSSEC() { - // cerr<<"Settting up dnssec db.. "<setLog(::arg().mustDo("query-logging")); } -void Bind2Backend::setupStatements() +void Bind2Backend::setupStatements() { d_getAllDomainMetadataQuery_stmt = d_dnssecdb->prepare("select kind, content from domainmetadata where domain=:domain",1); d_getDomainMetadataQuery_stmt = d_dnssecdb->prepare("select content from domainmetadata where domain=:domain and kind=:kind",2); @@ -123,47 +127,51 @@ void Bind2Backend::release(SSqlStatement** stmt) { *stmt = NULL; } -void Bind2Backend::freeStatements() +void Bind2Backend::freeStatements() { - release(&d_getAllDomainMetadataQuery_stmt); - release(&d_getDomainMetadataQuery_stmt); - release(&d_deleteDomainMetadataQuery_stmt); - release(&d_insertDomainMetadataQuery_stmt); - release(&d_getDomainKeysQuery_stmt); - release(&d_deleteDomainKeyQuery_stmt); - release(&d_insertDomainKeyQuery_stmt); - release(&d_activateDomainKeyQuery_stmt); - release(&d_deactivateDomainKeyQuery_stmt); - release(&d_getTSIGKeyQuery_stmt); - release(&d_setTSIGKeyQuery_stmt); - release(&d_deleteTSIGKeyQuery_stmt); - release(&d_getTSIGKeysQuery_stmt); + release(&d_getAllDomainMetadataQuery_stmt); + release(&d_getDomainMetadataQuery_stmt); + release(&d_deleteDomainMetadataQuery_stmt); + release(&d_insertDomainMetadataQuery_stmt); + release(&d_getDomainKeysQuery_stmt); + release(&d_deleteDomainKeyQuery_stmt); + release(&d_insertDomainKeyQuery_stmt); + release(&d_activateDomainKeyQuery_stmt); + release(&d_deactivateDomainKeyQuery_stmt); + release(&d_getTSIGKeyQuery_stmt); + release(&d_setTSIGKeyQuery_stmt); + release(&d_deleteTSIGKeyQuery_stmt); + release(&d_getTSIGKeysQuery_stmt); } + bool Bind2Backend::doesDNSSEC() { return d_dnssecdb || d_hybrid; } -bool Bind2Backend::getNSEC3PARAM(const DNSName& zname, NSEC3PARAMRecordContent* ns3p) +bool Bind2Backend::getNSEC3PARAM(const DNSName& name, NSEC3PARAMRecordContent* ns3p) { if(!d_dnssecdb || d_hybrid) return false; string value; vector meta; - getDomainMetadata(zname, "NSEC3PARAM", meta); + getDomainMetadata(name, "NSEC3PARAM", meta); if(!meta.empty()) value=*meta.begin(); - - if(value.empty()) { // "no NSEC3" - return false; - } - + else + return false; // No NSEC3 zone + + static int maxNSEC3Iterations=::arg().asNum("max-nsec3-iterations"); if(ns3p) { NSEC3PARAMRecordContent* tmp=dynamic_cast(DNSRecordContent::mastermake(QType::NSEC3PARAM, 1, value)); *ns3p = *tmp; delete tmp; } + if (ns3p->d_iterations > maxNSEC3Iterations) { + ns3p->d_iterations = maxNSEC3Iterations; + L< bind("domain", name)-> @@ -188,7 +194,7 @@ bool Bind2Backend::getAllDomainMetadata(const DNSName& name, std::mapreset(); } catch(SSqlException& se) { - throw PDNSException("Error accessing DNSSEC database in BIND backend: "+se.txtReason()); + throw PDNSException("Error accessing DNSSEC database in BIND backend, getAllDomainMetadata(): "+se.txtReason()); } return true; } @@ -197,15 +203,13 @@ bool Bind2Backend::getDomainMetadata(const DNSName& name, const std::string& kin { if(!d_dnssecdb || d_hybrid) return false; - - // cerr<<"Asked to get metadata for zone '"< bind("domain", name)-> bind("kind", kind)-> - execute(); - + execute(); + SSqlStatement::row_t row; while(d_getDomainMetadataQuery_stmt->hasNextRow()) { d_getDomainMetadataQuery_stmt->nextRow(row); @@ -215,7 +219,7 @@ bool Bind2Backend::getDomainMetadata(const DNSName& name, const std::string& kin d_getDomainMetadataQuery_stmt->reset(); } catch(SSqlException& se) { - throw PDNSException("Error accessing DNSSEC database in BIND backend: "+se.txtReason()); + throw PDNSException("Error accessing DNSSEC database in BIND backend, getDomainMetadata(): "+se.txtReason()); } return true; } @@ -224,7 +228,7 @@ bool Bind2Backend::setDomainMetadata(const DNSName& name, const std::string& kin { if(!d_dnssecdb || d_hybrid) return false; - + try { d_deleteDomainMetadataQuery_stmt-> bind("domain", name)-> @@ -232,7 +236,7 @@ bool Bind2Backend::setDomainMetadata(const DNSName& name, const std::string& kin execute()-> reset(); if(!meta.empty()) { - BOOST_FOREACH(const string& value, meta) { + for(const auto& value: meta) { d_insertDomainMetadataQuery_stmt-> bind("domain", name)-> bind("kind", kind)-> @@ -243,21 +247,21 @@ bool Bind2Backend::setDomainMetadata(const DNSName& name, const std::string& kin } } catch(SSqlException& se) { - throw PDNSException("Error accessing DNSSEC database in BIND backend: "+se.txtReason()); + throw PDNSException("Error accessing DNSSEC database in BIND backend, setDomainMetadata(): "+se.txtReason()); } return true; - } bool Bind2Backend::getDomainKeys(const DNSName& name, unsigned int kind, std::vector& keys) { - // cerr<<"Asked to get keys for zone '"< bind("domain", name)-> execute(); + KeyData kd; SSqlStatement::row_t row; while(d_getDomainKeysQuery_stmt->hasNextRow()) { @@ -268,12 +272,12 @@ bool Bind2Backend::getDomainKeys(const DNSName& name, unsigned int kind, std::ve kd.content = row[3]; keys.push_back(kd); } + d_getDomainKeysQuery_stmt->reset(); } catch(SSqlException& se) { - throw PDNSException("Error accessing DNSSEC database in BIND backend: "+se.txtReason()); + throw PDNSException("Error accessing DNSSEC database in BIND backend, getDomainKeys(): "+se.txtReason()); } - return true; } @@ -282,8 +286,6 @@ bool Bind2Backend::removeDomainKey(const DNSName& name, unsigned int id) if(!d_dnssecdb || d_hybrid) return false; - // cerr<<"Asked to remove key "< bind("domain", name)-> @@ -292,9 +294,8 @@ bool Bind2Backend::removeDomainKey(const DNSName& name, unsigned int id) reset(); } catch(SSqlException& se) { - cerr< bind("domain", name)-> @@ -315,18 +314,16 @@ int Bind2Backend::addDomainKey(const DNSName& name, const KeyData& key) reset(); } catch(SSqlException& se) { - throw PDNSException("Error accessing DNSSEC database in BIND backend: "+se.txtReason()); + throw PDNSException("Error accessing DNSSEC database in BIND backend, addDomainKey(): "+se.txtReason()); } - return true; } bool Bind2Backend::activateDomainKey(const DNSName& name, unsigned int id) { - // cerr<<"Asked to activate key "< bind("domain", name)-> @@ -335,18 +332,16 @@ bool Bind2Backend::activateDomainKey(const DNSName& name, unsigned int id) reset(); } catch(SSqlException& se) { - throw PDNSException("Error accessing DNSSEC database in BIND backend: "+se.txtReason()); + throw PDNSException("Error accessing DNSSEC database in BIND backend, activateDomainKey(): "+se.txtReason()); } - return true; } bool Bind2Backend::deactivateDomainKey(const DNSName& name, unsigned int id) { - // cerr<<"Asked to deactivate key "< bind("domain", name)-> @@ -355,9 +350,8 @@ bool Bind2Backend::deactivateDomainKey(const DNSName& name, unsigned int id) reset(); } catch(SSqlException& se) { - throw PDNSException("Error accessing DNSSEC database in BIND backend: "+se.txtReason()); + throw PDNSException("Error accessing DNSSEC database in BIND backend, deactivateDomainKey(): "+se.txtReason()); } - return true; } @@ -365,26 +359,27 @@ bool Bind2Backend::getTSIGKey(const DNSName& name, DNSName* algorithm, string* c { if(!d_dnssecdb || d_hybrid) return false; - + try { d_getTSIGKeyQuery_stmt-> bind("key_name", name)-> execute(); + SSqlStatement::row_t row; content->clear(); while(d_getTSIGKeyQuery_stmt->hasNextRow()) { d_getTSIGKeyQuery_stmt->nextRow(row); - if(row.size() >= 2 && (algorithm->empty() || *algorithm == DNSName(row[0]))) { + if(row.size() >= 2 && (algorithm->empty() || *algorithm == row[0])) { *algorithm = row[0]; *content = row[1]; } } + d_getTSIGKeyQuery_stmt->reset(); } catch (SSqlException &e) { - throw PDNSException("BindBackend unable to retrieve named TSIG key: "+e.txtReason()); + throw PDNSException("Error accessing DNSSEC database in BIND backend, getTSIGKey(): "+e.txtReason()); } - return !content->empty(); } @@ -402,9 +397,8 @@ bool Bind2Backend::setTSIGKey(const DNSName& name, const DNSName& algorithm, con reset(); } catch (SSqlException &e) { - throw PDNSException("BindBackend unable to retrieve named TSIG key: "+e.txtReason()); + throw PDNSException("Error accessing DNSSEC database in BIND backend, setTSIGKey(): "+e.txtReason()); } - return true; } @@ -420,9 +414,8 @@ bool Bind2Backend::deleteTSIGKey(const DNSName& name) reset(); } catch (SSqlException &e) { - throw PDNSException("BindBackend unable to retrieve named TSIG key: "+e.txtReason()); + throw PDNSException("Error accessing DNSSEC database in BIND backend, deleteTSIGKey(): "+e.txtReason()); } - return true; } @@ -433,10 +426,9 @@ bool Bind2Backend::getTSIGKeys(std::vector< struct TSIGKey > &keys) try { d_getTSIGKeysQuery_stmt-> - execute(); + execute(); SSqlStatement::row_t row; - while(d_getTSIGKeysQuery_stmt->hasNextRow()) { d_getTSIGKeysQuery_stmt->nextRow(row); struct TSIGKey key; @@ -449,11 +441,9 @@ bool Bind2Backend::getTSIGKeys(std::vector< struct TSIGKey > &keys) d_getTSIGKeysQuery_stmt->reset(); } catch (SSqlException &e) { - throw PDNSException("GSQLBackend unable to retrieve all TSIG keys: "+e.txtReason()); + throw PDNSException("Error accessing DNSSEC database in BIND backend, getTSIGKeys(): "+e.txtReason()); } - return !keys.empty(); } - #endif -- 2.49.0