From fddce2aa20140cc830acd9839cccce8573de2de1 Mon Sep 17 00:00:00 2001 From: Kees Monshouwer Date: Fri, 2 Jun 2017 01:08:27 +0200 Subject: [PATCH] auth: keep slave dnssec status in sync with the master --- pdns/dbdnsseckeeper.cc | 5 +++++ pdns/dnsseckeeper.hh | 1 + pdns/slavecommunicator.cc | 43 +++++++++++++++++++++++++-------------- pdns/ueberbackend.cc | 9 ++++++++ pdns/ueberbackend.hh | 1 + 5 files changed, 44 insertions(+), 15 deletions(-) diff --git a/pdns/dbdnsseckeeper.cc b/pdns/dbdnsseckeeper.cc index a62784fbe..f5ba7a60b 100644 --- a/pdns/dbdnsseckeeper.cc +++ b/pdns/dbdnsseckeeper.cc @@ -51,6 +51,11 @@ pthread_rwlock_t DNSSECKeeper::s_keycachelock = PTHREAD_RWLOCK_INITIALIZER; AtomicCounter DNSSECKeeper::s_ops; time_t DNSSECKeeper::s_last_prune; +bool DNSSECKeeper::doesDNSSEC() +{ + return d_keymetadb->doesDNSSEC(); +} + bool DNSSECKeeper::isSecuredZone(const DNSName& zone) { if(isPresigned(zone)) diff --git a/pdns/dnsseckeeper.hh b/pdns/dnsseckeeper.hh index 9c8582f3c..c6d2249d1 100644 --- a/pdns/dnsseckeeper.hh +++ b/pdns/dnsseckeeper.hh @@ -156,6 +156,7 @@ public: if(d_ourDB) delete d_keymetadb; } + bool doesDNSSEC(); bool isSecuredZone(const DNSName& zone); static uint64_t dbdnssecCacheSizes(const std::string& str); keyset_t getEntryPoints(const DNSName& zname); diff --git a/pdns/slavecommunicator.cc b/pdns/slavecommunicator.cc index d4b390100..16ee70ad0 100644 --- a/pdns/slavecommunicator.cc +++ b/pdns/slavecommunicator.cc @@ -773,7 +773,7 @@ void CommunicatorClass::slaveRefresh(PacketHandler *P) DomainNotificationInfo dni; dni.di=di; - dni.dnssecOk = dk.isPresigned(di.zone); + dni.dnssecOk = dk.doesDNSSEC(); if(dk.getTSIGForAccess(di.zone, sr.master, &dni.tsigkeyname)) { string secret64; @@ -836,6 +836,7 @@ void CommunicatorClass::slaveRefresh(PacketHandler *P) L<setFresh(di.id); } else if(theirserial == ourserial) { - if(!dk.isPresigned(di.zone)) { - L<setFresh(di.id); - } - else { + uint32_t maxExpire=0, maxInception=0; + if(dk.isPresigned(di.zone)) { B->lookup(QType(QType::RRSIG), di.zone); // can't use DK before we are done with this lookup! DNSResourceRecord rr; - uint32_t maxExpire=0, maxInception=0; while(B->get(rr)) { RRSIGRecordContent rrc(rr.content); if(rrc.d_type == QType::SOA) { @@ -868,14 +865,30 @@ void CommunicatorClass::slaveRefresh(PacketHandler *P) maxExpire = std::max(maxExpire, rrc.d_sigexpire); } } - if(maxInception == ssr.d_freshness[di.id].theirInception && maxExpire == ssr.d_freshness[di.id].theirExpire) { - L<setFresh(di.id); - } - else { - L<setFresh(di.id); + } + else if(maxInception == ssr.d_freshness[di.id].theirInception && maxExpire == ssr.d_freshness[di.id].theirExpire) { + L<setFresh(di.id); + } + else if(maxExpire >= now && ! ssr.d_freshness[di.id].theirInception ) { + L<setFresh(di.id); + } + else if(maxInception && ! ssr.d_freshness[di.id].theirInception ) { + L<doesDNSSEC()) + return true; + } + return false; +} + int UeberBackend::addDomainKey(const DNSName& name, const DNSBackend::KeyData& key) { int ret; diff --git a/pdns/ueberbackend.hh b/pdns/ueberbackend.hh index 7c1aecd53..c54279618 100644 --- a/pdns/ueberbackend.hh +++ b/pdns/ueberbackend.hh @@ -116,6 +116,7 @@ public: bool getDomainInfo(const DNSName &domain, DomainInfo &di); bool createDomain(const DNSName &domain); + bool doesDNSSEC(); int addDomainKey(const DNSName& name, const DNSBackend::KeyData& key); bool getDomainKeys(const DNSName& name, unsigned int kind, std::vector& keys); bool getAllDomainMetadata(const DNSName& name, std::map >& meta); -- 2.49.0