Permalink
Browse files

Merge branch 'nsec3optout' of github.com:mind04/pdns into mind04-nsec…

…3optout
  • Loading branch information...
2 parents fc7d9db + b8adb30 commit 04b4bf67d919181add802189f432af9c45d176ef @Habbie Habbie committed May 9, 2013
Showing with 474 additions and 269 deletions.
  1. +4 −0 .travis.yml
  2. +3 −3 pdns/backends/bind/bindbackend2.cc
  3. +7 −10 pdns/packethandler.cc
  4. +35 −46 pdns/pdnssec.cc
  5. +17 −1 pdns/sdig.cc
  6. +27 −32 pdns/slavecommunicator.cc
  7. +5 −2 pdns/tcpreceiver.cc
  8. +3 −0 regression-tests/00dnssec-grabkeys/command
  9. +3 −3 regression-tests/any-nxdomain/expected_result.narrow
  10. +3 −3 regression-tests/any-nxdomain/expected_result.nsec3
  11. +1 −1 regression-tests/any-wildcard-dnssec/expected_result.narrow
  12. +1 −1 regression-tests/any-wildcard-dnssec/expected_result.nsec3
  13. +10 −1 regression-tests/bind-dnssec-setup
  14. +1 −1 regression-tests/cleandig
  15. +3 −3 regression-tests/cname-to-nxdomain/expected_result.narrow
  16. +3 −3 regression-tests/cname-to-nxdomain/expected_result.nsec3
  17. +5 −5 regression-tests/cname-wildcard-chain/expected_result.narrow
  18. +5 −5 regression-tests/cname-wildcard-chain/expected_result.nsec3
  19. +1 −1 regression-tests/ds-at-unsecure-delegation/command
  20. +3 −3 regression-tests/ds-at-unsecure-delegation/expected_result.nsec3
  21. +9 −0 regression-tests/ds-at-unsecure-delegation/expected_result.nsec3-optout
  22. +1 −1 regression-tests/ds-at-unsecure-zone-cut/command
  23. +3 −3 regression-tests/ds-at-unsecure-zone-cut/expected_result.nsec3
  24. +9 −0 regression-tests/ds-at-unsecure-zone-cut/expected_result.nsec3-optout
  25. +1 −1 regression-tests/ds-inside-delegation/command
  26. +3 −3 regression-tests/ds-inside-delegation/expected_result.nsec3
  27. +11 −0 regression-tests/ds-inside-delegation/expected_result.nsec3-optout
  28. +1 −1 regression-tests/ent-any/command
  29. +1 −1 regression-tests/ent-any/expected_result.nsec3
  30. +7 −0 regression-tests/ent-any/expected_result.nsec3-optout
  31. +24 −22 regression-tests/ent-axfr/expected_result.nsec3
  32. +23 −0 regression-tests/ent-axfr/expected_result.nsec3-optout
  33. +1 −1 regression-tests/ent-rr-enclosed-in-ent/expected_result.narrow
  34. +1 −1 regression-tests/ent-rr-enclosed-in-ent/expected_result.nsec3
  35. +1 −1 regression-tests/ent-soa/command
  36. +1 −1 regression-tests/ent-soa/expected_result.nsec3
  37. +7 −0 regression-tests/ent-soa/expected_result.nsec3-optout
  38. +1 −1 regression-tests/ent-wildcard-below-ent/expected_result.narrow
  39. +1 −1 regression-tests/ent-wildcard-below-ent/expected_result.nsec3
  40. +1 −1 regression-tests/ent/command
  41. +1 −1 regression-tests/ent/expected_result.nsec3
  42. +7 −0 regression-tests/ent/expected_result.nsec3-optout
  43. +1 −1 regression-tests/five-levels-wildcard-one-below-apex/expected_result.narrow
  44. +1 −1 regression-tests/five-levels-wildcard-one-below-apex/expected_result.nsec3
  45. +1 −1 regression-tests/five-levels-wildcard/expected_result.narrow
  46. +1 −1 regression-tests/five-levels-wildcard/expected_result.nsec3
  47. +1 −1 regression-tests/minimal-noerror/expected_result.narrow
  48. +1 −1 regression-tests/minimal-noerror/expected_result.nsec3
  49. +3 −3 regression-tests/minimal-nxdomain/expected_result.narrow
  50. +1 −1 regression-tests/minimal-nxdomain/expected_result.nsec3
  51. +5 −0 regression-tests/named.conf
  52. +1 −1 regression-tests/nsec-bitmap/expected_result.narrow
  53. +1 −1 regression-tests/nsec-bitmap/expected_result.nsec3
  54. +1 −1 regression-tests/nsec-glue-at-delegation/command
  55. +3 −3 regression-tests/nsec-glue-at-delegation/expected_result.nsec3
  56. +9 −0 regression-tests/nsec-glue-at-delegation/expected_result.nsec3-optout
  57. +3 −3 regression-tests/nsec-glue/expected_result.narrow
  58. +3 −3 regression-tests/nsec-glue/expected_result.nsec3
  59. +3 −3 regression-tests/nsec-middle/expected_result.narrow
  60. +3 −3 regression-tests/nsec-middle/expected_result.nsec3
  61. +3 −3 regression-tests/nsec-wildcard/expected_result.narrow
  62. +3 −3 regression-tests/nsec-wildcard/expected_result.nsec3
  63. +3 −3 regression-tests/nsec-wraparound/expected_result.nsec3
  64. +1 −1 regression-tests/nsec-wrong-type-at-apex/expected_result.narrow
  65. +1 −1 regression-tests/nsec-wrong-type-at-apex/expected_result.nsec3
  66. +1 −1 regression-tests/nsec-wrong-type/expected_result.narrow
  67. +1 −1 regression-tests/nsec-wrong-type/expected_result.nsec3
  68. +3 −3 regression-tests/nxdomain-below-nonempty-terminal/expected_result.narrow
  69. +3 −3 regression-tests/nxdomain-below-nonempty-terminal/expected_result.nsec3
  70. +3 −3 regression-tests/second-level-nxdomain/expected_result.narrow
  71. +3 −3 regression-tests/second-level-nxdomain/expected_result.nsec3
  72. +16 −0 regression-tests/secure-delegated.dnssec-parent.com
  73. +11 −0 regression-tests/secure-delegated.dnssec-parent.com.key
  74. +2 −0 regression-tests/secure-delegation-ds-ns/command
  75. +4 −0 regression-tests/secure-delegation-ds-ns/description
  76. +4 −0 regression-tests/secure-delegation-ds-ns/expected_result
  77. +6 −0 regression-tests/secure-delegation-ds-ns/expected_result.dnssec
  78. +1 −1 regression-tests/secure-delegation/command
  79. +1 −3 regression-tests/secure-delegation/description
  80. +3 −3 regression-tests/secure-delegation/expected_result
  81. +4 −5 regression-tests/secure-delegation/expected_result.dnssec
  82. +3 −3 regression-tests/space-name/expected_result.narrow
  83. +3 −3 regression-tests/space-name/expected_result.nsec3
  84. +63 −18 regression-tests/start-test-stop
  85. +3 −3 regression-tests/two-level-nxdomain/expected_result.narrow
  86. +3 −3 regression-tests/two-level-nxdomain/expected_result.nsec3
  87. +3 −3 regression-tests/underscore-sorting/expected_result.narrow
  88. +2 −2 regression-tests/underscore-sorting/expected_result.nsec3
  89. +3 −3 regression-tests/uppercase-nsec/expected_result.narrow
  90. +2 −2 regression-tests/uppercase-nsec/expected_result.nsec3
  91. +15 −0 regression-tests/verify-dnssec-zone/expected_result
View
@@ -19,12 +19,16 @@ script:
- ./start-test-stop 5300 bind-dnssec-presigned
- ./start-test-stop 5300 bind-dnssec-nsec3
- ./start-test-stop 5300 bind-dnssec-nsec3-presigned
+ - ./start-test-stop 5300 bind-dnssec-nsec3-optout
+ - ./start-test-stop 5300 bind-dnssec-nsec3-optout-presigned
- ./start-test-stop 5300 gmysql-nodnssec
- ./start-test-stop 5300 gmysql-nodnssec-presigned
- ./start-test-stop 5300 gmysql
- ./start-test-stop 5300 gmysql-presigned
- ./start-test-stop 5300 gmysql-nsec3
- ./start-test-stop 5300 gmysql-nsec3-presigned
+ - ./start-test-stop 5300 gmysql-nsec3-optout
+ - ./start-test-stop 5300 gmysql-nsec3-optout-presigned
- ./start-test-stop 5300 gmysql-nsec3-narrow
notifications:
irc:
@@ -969,7 +969,7 @@ bool Bind2Backend::getBeforeAndAfterNamesAbsolute(uint32_t id, const std::string
// cerr<<"Hash: "<<bdr.nsec3hash<<"\t"<< (lqname < bdr.nsec3hash) <<endl;
// }
- records_by_hashindex_t::const_iterator iter = hashindex.lower_bound(lqname);
+ records_by_hashindex_t::const_iterator iter = hashindex.upper_bound(lqname);
if(iter != hashindex.begin() && (iter == hashindex.end() || iter->nsec3hash > lqname))
{
@@ -982,7 +982,7 @@ bool Bind2Backend::getBeforeAndAfterNamesAbsolute(uint32_t id, const std::string
}
bool wraponce = false;
- while(iter == hashindex.end() || !(iter->auth) || iter->nsec3hash.empty())
+ while(iter == hashindex.end() || (!iter->auth && !(iter->qtype == QType::NS && !pdns_iequals(iter->qname, auth) && !ns3pr.d_flags)) || iter->nsec3hash.empty())
{
iter--;
if(iter == hashindex.begin()) {
@@ -1009,7 +1009,7 @@ bool Bind2Backend::getBeforeAndAfterNamesAbsolute(uint32_t id, const std::string
iter = hashindex.begin();
}
- while(!(iter->auth) || iter->nsec3hash.empty())
+ while((!iter->auth && !(iter->qtype == QType::NS && !pdns_iequals(iter->qname, auth) && !ns3pr.d_flags)) || iter->nsec3hash.empty())
{
iter++;
if(iter == hashindex.end())
View
@@ -459,9 +459,9 @@ void emitNSEC3(DNSBackend& B, const NSEC3PARAMRecordContent& ns3prc, const SOADa
DNSResourceRecord rr;
if(!unhashed.empty()) {
- B.lookup(QType(QType::ANY), unhashed);
+ B.lookup(QType(QType::ANY), unhashed, NULL, sd.domain_id);
while(B.get(rr)) {
- if(rr.domain_id == sd.domain_id && rr.qtype.getCode()) // skip out of zone data and empty non-terminals
+ if(rr.qtype.getCode() && (rr.qtype.getCode() == QType::NS || rr.auth)) // skip empty non-terminals
n3rc.d_set.insert(rr.qtype.getCode());
}
@@ -471,7 +471,7 @@ void emitNSEC3(DNSBackend& B, const NSEC3PARAMRecordContent& ns3prc, const SOADa
}
}
- if (n3rc.d_set.size())
+ if (n3rc.d_set.size() && !(n3rc.d_set.size() == 1 && n3rc.d_set.count(QType::NS)))
n3rc.d_set.insert(QType::RRSIG);
n3rc.d_nexthash=end;
@@ -571,7 +571,7 @@ bool getNSEC3Hashes(bool narrow, DNSBackend* db, int id, const std::string& hash
void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, const string& wildcard, const string& auth, const NSEC3PARAMRecordContent& ns3rc, bool narrow, int mode)
{
- // L<<"mode="<<mode<<" target="<<target<<" wildcard="<<wildcard<<" auth="<<auth<<endl;
+ DLOG(L<<"mode="<<mode<<" target="<<target<<" wildcard="<<wildcard<<" auth="<<auth<<endl);
SOAData sd;
sd.db = (DNSBackend*)-1;
@@ -604,7 +604,7 @@ void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, c
unhashed=(mode == 0 || mode == 5) ? target : closest;
hashed=hashQNameWithSalt(ns3rc.d_iterations, ns3rc.d_salt, unhashed);
- // L<<"1 hash: "<<toBase32Hex(hashed)<<" "<<unhashed<<endl;
+ DLOG(L<<"1 hash: "<<toBase32Hex(hashed)<<" "<<unhashed<<endl);
getNSEC3Hashes(narrow, sd.db, sd.domain_id, hashed, false, unhashed, before, after);
DLOG(L<<"Done calling for matching, hashed: '"<<toBase32Hex(hashed)<<"' before='"<<toBase32Hex(before)<<"', after='"<<toBase32Hex(after)<<"'"<<endl);
@@ -620,7 +620,7 @@ void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, c
while( chopOff( next ) && !pdns_iequals(next, closest));
hashed=hashQNameWithSalt(ns3rc.d_iterations, ns3rc.d_salt, unhashed);
- // L<<"2 hash: "<<toBase32Hex(hashed)<<" "<<unhashed<<endl;
+ DLOG(L<<"2 hash: "<<toBase32Hex(hashed)<<" "<<unhashed<<endl);
getNSEC3Hashes(narrow, sd.db,sd.domain_id, hashed, true, unhashed, before, after);
DLOG(L<<"Done calling for covering, hashed: '"<<toBase32Hex(hashed)<<"' before='"<<toBase32Hex(before)<<"', after='"<<toBase32Hex(after)<<"'"<<endl);
@@ -632,7 +632,7 @@ void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, c
unhashed=dotConcat("*", closest);
hashed=hashQNameWithSalt(ns3rc.d_iterations, ns3rc.d_salt, unhashed);
- // L<<"3 hash: "<<toBase32Hex(hashed)<<" "<<unhashed<<endl;
+ DLOG(L<<"3 hash: "<<toBase32Hex(hashed)<<" "<<unhashed<<endl);
getNSEC3Hashes(narrow, sd.db, sd.domain_id, hashed, (mode != 2), unhashed, before, after);
DLOG(L<<"Done calling for '*', hashed: '"<<toBase32Hex(hashed)<<"' before='"<<toBase32Hex(before)<<"', after='"<<toBase32Hex(after)<<"'"<<endl);
@@ -1010,7 +1010,6 @@ bool PacketHandler::addDSforNS(DNSPacket* p, DNSPacket* r, SOAData& sd, const st
while(B.get(rr)) {
gotOne=true;
rr.d_place = DNSResourceRecord::AUTHORITY;
- rr.auth=true; // please sign it!
r->addRecord(rr);
}
return gotOne;
@@ -1269,8 +1268,6 @@ DNSPacket *PacketHandler::questionOrRecurse(DNSPacket *p, bool *shouldRecurse)
if (p->qtype.getCode() == QType::ANY && rr.qtype.getCode() == QType::RRSIG) // RRSIGS are added later any way.
continue; //TODO: this actually means addRRSig should check if the RRSig is already there.
- if(rr.qtype.getCode() == QType::DS)
- rr.auth = 1;
// cerr<<"Auth: "<<rr.auth<<", "<<(rr.qtype == p->qtype)<<", "<<rr.qtype.getName()<<endl;
if((p->qtype.getCode() == QType::ANY || rr.qtype == p->qtype) && rr.auth)
weDone=1;
View
@@ -199,56 +199,47 @@ void rectifyZone(DNSSECKeeper& dk, const std::string& zone)
}
else
sd.db->nullifyDNSSECOrderNameAndUpdateAuth(sd.domain_id, qname, auth);
- if(realrr)
- {
- if (dsnames.count(qname))
- sd.db->setDNSSECAuthOnDsRecord(sd.domain_id, qname);
- if (!auth || nsset.count(qname)) {
- sd.db->nullifyDNSSECOrderNameAndAuth(sd.domain_id, qname, "NS");
- sd.db->nullifyDNSSECOrderNameAndAuth(sd.domain_id, qname, "A");
- sd.db->nullifyDNSSECOrderNameAndAuth(sd.domain_id, qname, "AAAA");
- }
- }
}
else // NSEC
{
- if(realrr)
- {
- sd.db->updateDNSSECOrderAndAuth(sd.domain_id, zone, qname, auth);
- if (dsnames.count(qname))
- sd.db->setDNSSECAuthOnDsRecord(sd.domain_id, qname);
- if (!auth || nsset.count(qname)) {
- sd.db->nullifyDNSSECOrderNameAndAuth(sd.domain_id, qname, "A");
- sd.db->nullifyDNSSECOrderNameAndAuth(sd.domain_id, qname, "AAAA");
- }
- }
- else
- {
+ sd.db->updateDNSSECOrderAndAuth(sd.domain_id, zone, qname, auth);
+ if (!realrr)
sd.db->nullifyDNSSECOrderNameAndUpdateAuth(sd.domain_id, qname, auth);
- }
}
- if(auth && realrr && doent)
+ if(realrr)
{
- shorter=qname;
- while(!pdns_iequals(shorter, zone) && chopOff(shorter))
+ if (dsnames.count(qname))
+ sd.db->setDNSSECAuthOnDsRecord(sd.domain_id, qname);
+ if (!auth || nsset.count(qname)) {
+ if(haveNSEC3 && ns3pr.d_flags)
+ sd.db->nullifyDNSSECOrderNameAndAuth(sd.domain_id, qname, "NS");
+ sd.db->nullifyDNSSECOrderNameAndAuth(sd.domain_id, qname, "A");
+ sd.db->nullifyDNSSECOrderNameAndAuth(sd.domain_id, qname, "AAAA");
+ }
+
+ if(auth && doent)
{
- if(!qnames.count(shorter) && !nonterm.count(shorter))
+ shorter=qname;
+ while(!pdns_iequals(shorter, zone) && chopOff(shorter))
{
- if(!(maxent))
+ if(!qnames.count(shorter) && !nonterm.count(shorter))
{
- cerr<<"Zone '"<<zone<<"' has too many empty non terminals."<<endl;
- insnonterm.clear();
- delnonterm.clear();
- doent=false;
- break;
+ if(!(maxent))
+ {
+ cerr<<"Zone '"<<zone<<"' has too many empty non terminals."<<endl;
+ insnonterm.clear();
+ delnonterm.clear();
+ doent=false;
+ break;
+ }
+ nonterm.insert(shorter);
+ if (!delnonterm.count(shorter))
+ insnonterm.insert(shorter);
+ else
+ delnonterm.erase(shorter);
+ --maxent;
}
- nonterm.insert(shorter);
- if (!delnonterm.count(shorter))
- insnonterm.insert(shorter);
- else
- delnonterm.erase(shorter);
- --maxent;
}
}
}
@@ -1061,16 +1052,14 @@ try
cerr<<"Syntax: pdnssec set-nsec3 ZONE 'params' [narrow]"<<endl;
return 0;
}
- string nsec3params = cmds.size() > 2 ? cmds[2] : "1 1 1 ab";
+ string nsec3params = cmds.size() > 2 ? cmds[2] : "1 0 1 ab";
bool narrow = cmds.size() > 3 && cmds[3]=="narrow";
NSEC3PARAMRecordContent ns3pr(nsec3params);
- if(!ns3pr.d_flags) {
- cerr<<"PowerDNS only implements opt-out zones, please set the second parameter to '1' (example, '1 1 1 ab')"<<endl;
- return 0;
- }
-
dk.setNSEC3PARAM(cmds[1], ns3pr, narrow);
- cerr<<"NSEC3 set, please rectify-zone if your backend needs it"<<endl;
+ if (!ns3pr.d_flags)
+ cerr<<"NSEC3 set, please rectify-zone if your backend needs it"<<endl;
+ else
+ cerr<<"NSEC3 (opt-out) set, please rectify-zone if your backend needs it"<<endl;
}
else if(cmds[0]=="set-presigned") {
if(cmds.size() < 2) {
View
@@ -13,11 +13,12 @@ try
bool dnssec=false;
bool recurse=false;
bool tcp=false;
+ bool showflags=false;
reportAllTypes();
if(argc < 5) {
- cerr<<"Syntax: sdig IP-address port question question-type [dnssec|recurse]\n";
+ cerr<<"Syntax: sdig IP-address port question question-type [dnssec|dnssec-tcp|recurse] [showflags]\n";
exit(EXIT_FAILURE);
}
@@ -38,6 +39,11 @@ try
recurse=true;
}
+ if((argc > 5 && strcmp(argv[5], "showflags")==0) || (argc > 6 && strcmp(argv[6], "showflags")==0))
+ {
+ showflags=true;
+ }
+
vector<uint8_t> packet;
DNSPacketWriter pw(packet, argv[3], DNSRecordContent::TypeToNumber(argv[4]));
@@ -132,6 +138,16 @@ try
stringtok(parts, zoneRep);
cout<<"\t"<<i->first.d_ttl<<"\t"<< parts[0]<<" "<<parts[1]<<" "<<parts[2]<<" "<<parts[3]<<" [expiry] [inception] [keytag] "<<parts[7]<<" ...\n";
}
+ else if(!showflags && i->first.d_type == QType::NSEC3)
+ {
+ string zoneRep = i->first.d_content->getZoneRepresentation();
+ vector<string> parts;
+ stringtok(parts, zoneRep);
+ cout<<"\t"<<i->first.d_ttl<<"\t"<< parts[0]<<" [flags] "<<parts[2]<<" "<<parts[3]<<" "<<parts[4];
+ for(vector<string>::iterator iter = parts.begin()+5; iter != parts.end(); ++iter)
+ cout<<" "<<*iter;
+ cout<<"\n";
+ }
else if(i->first.d_type == QType::DNSKEY)
{
string zoneRep = i->first.d_content->getZoneRepresentation();
@@ -260,55 +260,50 @@ void CommunicatorClass::suck(const string &domain,const string &remote)
}while(chopOff(shorter));
}
- if(dnssecZone && haveNSEC3)
+ if(haveNSEC3)
{
if(!narrow) {
hashed=toLower(toBase32Hex(hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, qname)));
di.backend->updateDNSSECOrderAndAuthAbsolute(domain_id, qname, hashed, auth);
}
else
di.backend->nullifyDNSSECOrderNameAndUpdateAuth(domain_id, qname, auth);
- if(realrr)
- {
- if (dsnames.count(qname))
- di.backend->setDNSSECAuthOnDsRecord(domain_id, qname);
- if (!auth || nsset.count(qname)) {
- di.backend->nullifyDNSSECOrderNameAndAuth(domain_id, qname, "NS");
- di.backend->nullifyDNSSECOrderNameAndAuth(domain_id, qname, "A");
- di.backend->nullifyDNSSECOrderNameAndAuth(domain_id, qname, "AAAA");
- }
- }
}
else // NSEC
{
- if(realrr)
- {
- di.backend->updateDNSSECOrderAndAuth(domain_id, domain, qname, auth);
- if (dsnames.count(qname))
- di.backend->setDNSSECAuthOnDsRecord(domain_id, qname);
- if (!auth || nsset.count(qname)) {
- di.backend->nullifyDNSSECOrderNameAndAuth(domain_id, qname, "A");
- di.backend->nullifyDNSSECOrderNameAndAuth(domain_id, qname, "AAAA");
- }
- }
+ di.backend->updateDNSSECOrderAndAuth(domain_id, domain, qname, auth);
+ if (!realrr)
+ di.backend->nullifyDNSSECOrderNameAndUpdateAuth(domain_id, qname, auth);
}
- if(auth && realrr && doent)
+ if(realrr)
{
- shorter=qname;
- while(!pdns_iequals(shorter, domain) && chopOff(shorter))
+ if (dsnames.count(qname))
+ di.backend->setDNSSECAuthOnDsRecord(domain_id, qname);
+ if (!auth || nsset.count(qname)) {
+ if(haveNSEC3 && gotOptOutFlag)
+ di.backend->nullifyDNSSECOrderNameAndAuth(domain_id, qname, "NS");
+ di.backend->nullifyDNSSECOrderNameAndAuth(domain_id, qname, "A");
+ di.backend->nullifyDNSSECOrderNameAndAuth(domain_id, qname, "AAAA");
+ }
+
+ if(auth && doent)
{
- if(!qnames.count(shorter) && !nonterm.count(shorter))
+ shorter=qname;
+ while(!pdns_iequals(shorter, domain) && chopOff(shorter))
{
- if(!(maxent))
+ if(!qnames.count(shorter) && !nonterm.count(shorter))
{
- L<<Logger::Error<<"AXFR zone "<<domain<<" has too many empty non terminals."<<endl;
- nonterm.empty();
- doent=false;
- break;
+ if(!(maxent))
+ {
+ L<<Logger::Error<<"AXFR zone "<<domain<<" has too many empty non terminals."<<endl;
+ nonterm.empty();
+ doent=false;
+ break;
+ }
+ nonterm.insert(shorter);
+ --maxent;
}
- nonterm.insert(shorter);
- --maxent;
}
}
}
View
@@ -616,11 +616,14 @@ int TCPNameserver::doAXFR(const string &target, shared_ptr<DNSPacket> q, int out
}
}
+ uint8_t flags;
+
if(NSEC3Zone) { // now stuff in the NSEC3PARAM
+ flags = ns3pr.d_flags;
rr.qtype = QType(QType::NSEC3PARAM);
ns3pr.d_flags = 0;
rr.content = ns3pr.getZoneRepresentation();
- ns3pr.d_flags = 1;
+ ns3pr.d_flags = flags;
string keyname = hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, rr.qname);
NSECXEntry& ne = nsecxrepo[keyname];
@@ -657,7 +660,7 @@ int TCPNameserver::doAXFR(const string &target, shared_ptr<DNSPacket> q, int out
keyname = NSEC3Zone ? hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, rr.qname) : labelReverse(rr.qname);
NSECXEntry& ne = nsecxrepo[keyname];
ne.d_ttl = sd.default_ttl;
- ne.d_auth = (ne.d_auth || rr.auth);
+ ne.d_auth = (ne.d_auth || rr.auth || (NSEC3Zone && !ns3pr.d_flags));
if (rr.qtype.getCode()) {
ne.d_set.insert(rr.qtype.getCode());
}
@@ -4,7 +4,10 @@ rm -f trustedkeys
rm -f unbound-host.conf
for zone in $(grep zone named.conf | cut -f2 -d\")
do
+ if [ "${zone: 0:16}" != "secure-delegated" ]
+ then
drill -p $port -o rd -D dnskey $zone @$nameserver | grep -v '^;' | grep -v AwEAAarTiHhPgvD28WCN8UBXcEcf8f >> trustedkeys
+ fi
echo "stub-zone:" >> unbound-host.conf
echo " name: $zone" >> unbound-host.conf
echo " stub-addr: $nameserver@$port" >> unbound-host.conf
Oops, something went wrong.

0 comments on commit 04b4bf6

Please sign in to comment.