Merge branch 'nsec3optout' of github.com:mind04/pdns into mind04-nsec…

…3optout

.travis.yml

@@ -19,12 +19,16 @@ script:
  - ./start-test-stop 5300 bind-dnssec-presigned
  - ./start-test-stop 5300 bind-dnssec-nsec3
  - ./start-test-stop 5300 bind-dnssec-nsec3-presigned
+ - ./start-test-stop 5300 bind-dnssec-nsec3-optout
+ - ./start-test-stop 5300 bind-dnssec-nsec3-optout-presigned 
  - ./start-test-stop 5300 gmysql-nodnssec
  - ./start-test-stop 5300 gmysql-nodnssec-presigned
  - ./start-test-stop 5300 gmysql
  - ./start-test-stop 5300 gmysql-presigned
  - ./start-test-stop 5300 gmysql-nsec3
  - ./start-test-stop 5300 gmysql-nsec3-presigned
+ - ./start-test-stop 5300 gmysql-nsec3-optout
+ - ./start-test-stop 5300 gmysql-nsec3-optout-presigned 
  - ./start-test-stop 5300 gmysql-nsec3-narrow
 notifications:
   irc:

pdns/backends/bind/bindbackend2.cc

@@ -969,7 +969,7 @@ bool Bind2Backend::getBeforeAndAfterNamesAbsolute(uint32_t id, const std::string
 //      cerr<<"Hash: "<<bdr.nsec3hash<<"\t"<< (lqname < bdr.nsec3hash) <<endl;
 //    }
 
-    records_by_hashindex_t::const_iterator iter = hashindex.lower_bound(lqname);
+    records_by_hashindex_t::const_iterator iter = hashindex.upper_bound(lqname);
 
     if(iter != hashindex.begin() && (iter == hashindex.end() || iter->nsec3hash > lqname))
     {
@@ -982,7 +982,7 @@ bool Bind2Backend::getBeforeAndAfterNamesAbsolute(uint32_t id, const std::string
     }
 
     bool wraponce = false;
-    while(iter == hashindex.end() || !(iter->auth) || iter->nsec3hash.empty())
+    while(iter == hashindex.end() || (!iter->auth && !(iter->qtype == QType::NS && !pdns_iequals(iter->qname, auth) && !ns3pr.d_flags)) || iter->nsec3hash.empty())
     {
       iter--;
       if(iter == hashindex.begin()) {
@@ -1009,7 +1009,7 @@ bool Bind2Backend::getBeforeAndAfterNamesAbsolute(uint32_t id, const std::string
       iter = hashindex.begin();
     }
 
-    while(!(iter->auth) || iter->nsec3hash.empty())
+    while((!iter->auth && !(iter->qtype == QType::NS && !pdns_iequals(iter->qname, auth) && !ns3pr.d_flags)) || iter->nsec3hash.empty())
     {
       iter++;
       if(iter == hashindex.end())

pdns/packethandler.cc

@@ -459,9 +459,9 @@ void emitNSEC3(DNSBackend& B, const NSEC3PARAMRecordContent& ns3prc, const SOADa
 
   DNSResourceRecord rr;
   if(!unhashed.empty()) {
-    B.lookup(QType(QType::ANY), unhashed);
+    B.lookup(QType(QType::ANY), unhashed, NULL, sd.domain_id);
     while(B.get(rr)) {
-      if(rr.domain_id == sd.domain_id && rr.qtype.getCode()) // skip out of zone data and empty non-terminals
+      if(rr.qtype.getCode() && (rr.qtype.getCode() == QType::NS || rr.auth)) // skip empty non-terminals
         n3rc.d_set.insert(rr.qtype.getCode());
     }
 
@@ -471,7 +471,7 @@ void emitNSEC3(DNSBackend& B, const NSEC3PARAMRecordContent& ns3prc, const SOADa
     }
   }
 
-  if (n3rc.d_set.size())
+  if (n3rc.d_set.size() && !(n3rc.d_set.size() == 1 && n3rc.d_set.count(QType::NS)))
     n3rc.d_set.insert(QType::RRSIG);
 
   n3rc.d_nexthash=end;
@@ -571,7 +571,7 @@ bool getNSEC3Hashes(bool narrow, DNSBackend* db, int id, const std::string& hash
 
 void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, const string& wildcard, const string& auth, const NSEC3PARAMRecordContent& ns3rc, bool narrow, int mode)
 {
-  // L<<"mode="<<mode<<" target="<<target<<" wildcard="<<wildcard<<" auth="<<auth<<endl;
+  DLOG(L<<"mode="<<mode<<" target="<<target<<" wildcard="<<wildcard<<" auth="<<auth<<endl);
 
   SOAData sd;
   sd.db = (DNSBackend*)-1;
@@ -604,7 +604,7 @@ void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, c
     unhashed=(mode == 0 || mode == 5) ? target : closest;
 
     hashed=hashQNameWithSalt(ns3rc.d_iterations, ns3rc.d_salt, unhashed);
-    // L<<"1 hash: "<<toBase32Hex(hashed)<<" "<<unhashed<<endl;
+    DLOG(L<<"1 hash: "<<toBase32Hex(hashed)<<" "<<unhashed<<endl);
 
     getNSEC3Hashes(narrow, sd.db, sd.domain_id,  hashed, false, unhashed, before, after);
     DLOG(L<<"Done calling for matching, hashed: '"<<toBase32Hex(hashed)<<"' before='"<<toBase32Hex(before)<<"', after='"<<toBase32Hex(after)<<"'"<<endl);
@@ -620,7 +620,7 @@ void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, c
     while( chopOff( next ) && !pdns_iequals(next, closest));
 
     hashed=hashQNameWithSalt(ns3rc.d_iterations, ns3rc.d_salt, unhashed);
-    // L<<"2 hash: "<<toBase32Hex(hashed)<<" "<<unhashed<<endl;
+    DLOG(L<<"2 hash: "<<toBase32Hex(hashed)<<" "<<unhashed<<endl);
 
     getNSEC3Hashes(narrow, sd.db,sd.domain_id,  hashed, true, unhashed, before, after);
     DLOG(L<<"Done calling for covering, hashed: '"<<toBase32Hex(hashed)<<"' before='"<<toBase32Hex(before)<<"', after='"<<toBase32Hex(after)<<"'"<<endl);
@@ -632,7 +632,7 @@ void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, c
     unhashed=dotConcat("*", closest);
 
     hashed=hashQNameWithSalt(ns3rc.d_iterations, ns3rc.d_salt, unhashed);
-    // L<<"3 hash: "<<toBase32Hex(hashed)<<" "<<unhashed<<endl;
+    DLOG(L<<"3 hash: "<<toBase32Hex(hashed)<<" "<<unhashed<<endl);
 
     getNSEC3Hashes(narrow, sd.db, sd.domain_id,  hashed, (mode != 2), unhashed, before, after);
     DLOG(L<<"Done calling for '*', hashed: '"<<toBase32Hex(hashed)<<"' before='"<<toBase32Hex(before)<<"', after='"<<toBase32Hex(after)<<"'"<<endl);
@@ -1010,7 +1010,6 @@ bool PacketHandler::addDSforNS(DNSPacket* p, DNSPacket* r, SOAData& sd, const st
   while(B.get(rr)) {
     gotOne=true;
     rr.d_place = DNSResourceRecord::AUTHORITY;
-    rr.auth=true; // please sign it!
     r->addRecord(rr);
   }
   return gotOne;
@@ -1269,8 +1268,6 @@ DNSPacket *PacketHandler::questionOrRecurse(DNSPacket *p, bool *shouldRecurse)
       if (p->qtype.getCode() == QType::ANY && rr.qtype.getCode() == QType::RRSIG) // RRSIGS are added later any way.
         continue; //TODO: this actually means addRRSig should check if the RRSig is already there.
 
-      if(rr.qtype.getCode() == QType::DS)
-        rr.auth = 1;
       // cerr<<"Auth: "<<rr.auth<<", "<<(rr.qtype == p->qtype)<<", "<<rr.qtype.getName()<<endl;
       if((p->qtype.getCode() == QType::ANY || rr.qtype == p->qtype) && rr.auth) 
         weDone=1;

pdns/pdnssec.cc

@@ -199,56 +199,47 @@ void rectifyZone(DNSSECKeeper& dk, const std::string& zone)
       }
       else
         sd.db->nullifyDNSSECOrderNameAndUpdateAuth(sd.domain_id, qname, auth);
-      if(realrr)
-      {
-        if (dsnames.count(qname))
-          sd.db->setDNSSECAuthOnDsRecord(sd.domain_id, qname);
-        if (!auth || nsset.count(qname)) {
-          sd.db->nullifyDNSSECOrderNameAndAuth(sd.domain_id, qname, "NS");
-          sd.db->nullifyDNSSECOrderNameAndAuth(sd.domain_id, qname, "A");
-          sd.db->nullifyDNSSECOrderNameAndAuth(sd.domain_id, qname, "AAAA");
-        }
-      }
     }
     else // NSEC
     {
-      if(realrr)
-      {
-        sd.db->updateDNSSECOrderAndAuth(sd.domain_id, zone, qname, auth);
-        if (dsnames.count(qname))
-          sd.db->setDNSSECAuthOnDsRecord(sd.domain_id, qname);
-        if (!auth || nsset.count(qname)) {
-          sd.db->nullifyDNSSECOrderNameAndAuth(sd.domain_id, qname, "A");
-          sd.db->nullifyDNSSECOrderNameAndAuth(sd.domain_id, qname, "AAAA");
-        }
-      }
-      else
-      {
+      sd.db->updateDNSSECOrderAndAuth(sd.domain_id, zone, qname, auth);
+      if (!realrr)
         sd.db->nullifyDNSSECOrderNameAndUpdateAuth(sd.domain_id, qname, auth);
-      }
     }
 
-    if(auth && realrr && doent)
+    if(realrr)
     {
-      shorter=qname;
-      while(!pdns_iequals(shorter, zone) && chopOff(shorter))
+      if (dsnames.count(qname))
+        sd.db->setDNSSECAuthOnDsRecord(sd.domain_id, qname);
+      if (!auth || nsset.count(qname)) {
+        if(haveNSEC3 && ns3pr.d_flags)
+          sd.db->nullifyDNSSECOrderNameAndAuth(sd.domain_id, qname, "NS");
+        sd.db->nullifyDNSSECOrderNameAndAuth(sd.domain_id, qname, "A");
+        sd.db->nullifyDNSSECOrderNameAndAuth(sd.domain_id, qname, "AAAA");
+      }
+
+      if(auth && doent)
       {
-        if(!qnames.count(shorter) && !nonterm.count(shorter))
+        shorter=qname;
+        while(!pdns_iequals(shorter, zone) && chopOff(shorter))
         {
-          if(!(maxent))
+          if(!qnames.count(shorter) && !nonterm.count(shorter))
           {
-            cerr<<"Zone '"<<zone<<"' has too many empty non terminals."<<endl;
-            insnonterm.clear();
-            delnonterm.clear();
-            doent=false;
-            break;
+            if(!(maxent))
+            {
+              cerr<<"Zone '"<<zone<<"' has too many empty non terminals."<<endl;
+              insnonterm.clear();
+              delnonterm.clear();
+              doent=false;
+              break;
+            }
+            nonterm.insert(shorter);
+            if (!delnonterm.count(shorter))
+              insnonterm.insert(shorter);
+            else
+              delnonterm.erase(shorter);
+            --maxent;
           }
-          nonterm.insert(shorter);
-          if (!delnonterm.count(shorter))
-            insnonterm.insert(shorter);
-          else
-            delnonterm.erase(shorter);
-          --maxent;
         }
       }
     }
@@ -1061,16 +1052,14 @@ try
       cerr<<"Syntax: pdnssec set-nsec3 ZONE 'params' [narrow]"<<endl;
       return 0;
     }
-    string nsec3params =  cmds.size() > 2 ? cmds[2] : "1 1 1 ab";
+    string nsec3params =  cmds.size() > 2 ? cmds[2] : "1 0 1 ab";
     bool narrow = cmds.size() > 3 && cmds[3]=="narrow";
     NSEC3PARAMRecordContent ns3pr(nsec3params);
-    if(!ns3pr.d_flags) {
-      cerr<<"PowerDNS only implements opt-out zones, please set the second parameter to '1' (example, '1 1 1 ab')"<<endl;
-      return 0;
-    }
-
     dk.setNSEC3PARAM(cmds[1], ns3pr, narrow);
-    cerr<<"NSEC3 set, please rectify-zone if your backend needs it"<<endl;
+    if (!ns3pr.d_flags)
+      cerr<<"NSEC3 set, please rectify-zone if your backend needs it"<<endl;
+    else
+      cerr<<"NSEC3 (opt-out) set, please rectify-zone if your backend needs it"<<endl;
   }
   else if(cmds[0]=="set-presigned") {
     if(cmds.size() < 2) {

pdns/sdig.cc

@@ -13,11 +13,12 @@ try
   bool dnssec=false;
   bool recurse=false;
   bool tcp=false;
+  bool showflags=false;
 
   reportAllTypes();
 
   if(argc < 5) {
-    cerr<<"Syntax: sdig IP-address port question question-type [dnssec|recurse]\n";
+    cerr<<"Syntax: sdig IP-address port question question-type [dnssec|dnssec-tcp|recurse] [showflags]\n";
     exit(EXIT_FAILURE);
   }
 
@@ -38,6 +39,11 @@ try
     recurse=true;
   }
 
+  if((argc > 5 && strcmp(argv[5], "showflags")==0) || (argc > 6 && strcmp(argv[6], "showflags")==0))
+  {
+    showflags=true;
+  }
+
   vector<uint8_t> packet;
 
   DNSPacketWriter pw(packet, argv[3], DNSRecordContent::TypeToNumber(argv[4]));
@@ -132,6 +138,16 @@ try
       stringtok(parts, zoneRep);
       cout<<"\t"<<i->first.d_ttl<<"\t"<< parts[0]<<" "<<parts[1]<<" "<<parts[2]<<" "<<parts[3]<<" [expiry] [inception] [keytag] "<<parts[7]<<" ...\n";
     }
+    else if(!showflags && i->first.d_type == QType::NSEC3)
+    {
+      string zoneRep = i->first.d_content->getZoneRepresentation();
+      vector<string> parts;
+      stringtok(parts, zoneRep);
+      cout<<"\t"<<i->first.d_ttl<<"\t"<< parts[0]<<" [flags] "<<parts[2]<<" "<<parts[3]<<" "<<parts[4];
+      for(vector<string>::iterator iter = parts.begin()+5; iter != parts.end(); ++iter)
+        cout<<" "<<*iter;
+      cout<<"\n";
+    }
     else if(i->first.d_type == QType::DNSKEY)
     {
       string zoneRep = i->first.d_content->getZoneRepresentation();

pdns/slavecommunicator.cc

@@ -260,55 +260,50 @@ void CommunicatorClass::suck(const string &domain,const string &remote)
         }while(chopOff(shorter));
       }
 
-      if(dnssecZone && haveNSEC3)
+      if(haveNSEC3)
       {
         if(!narrow) { 
           hashed=toLower(toBase32Hex(hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, qname)));
           di.backend->updateDNSSECOrderAndAuthAbsolute(domain_id, qname, hashed, auth);
         }
         else
           di.backend->nullifyDNSSECOrderNameAndUpdateAuth(domain_id, qname, auth);
-        if(realrr)
-        {
-          if (dsnames.count(qname))
-            di.backend->setDNSSECAuthOnDsRecord(domain_id, qname);
-          if (!auth || nsset.count(qname)) {
-            di.backend->nullifyDNSSECOrderNameAndAuth(domain_id, qname, "NS");
-            di.backend->nullifyDNSSECOrderNameAndAuth(domain_id, qname, "A");
-            di.backend->nullifyDNSSECOrderNameAndAuth(domain_id, qname, "AAAA");
-          }
-        }
       }
       else // NSEC
       {
-        if(realrr)
-        {
-          di.backend->updateDNSSECOrderAndAuth(domain_id, domain, qname, auth);
-          if (dsnames.count(qname))
-            di.backend->setDNSSECAuthOnDsRecord(domain_id, qname);
-          if (!auth || nsset.count(qname)) {
-            di.backend->nullifyDNSSECOrderNameAndAuth(domain_id, qname, "A");
-            di.backend->nullifyDNSSECOrderNameAndAuth(domain_id, qname, "AAAA");
-          }
-        }
+        di.backend->updateDNSSECOrderAndAuth(domain_id, domain, qname, auth);
+        if (!realrr)
+          di.backend->nullifyDNSSECOrderNameAndUpdateAuth(domain_id, qname, auth);
       }
 
-      if(auth && realrr && doent)
+      if(realrr)
       {
-        shorter=qname;
-        while(!pdns_iequals(shorter, domain) && chopOff(shorter))
+        if (dsnames.count(qname))
+          di.backend->setDNSSECAuthOnDsRecord(domain_id, qname);
+        if (!auth || nsset.count(qname)) {
+          if(haveNSEC3 && gotOptOutFlag)
+            di.backend->nullifyDNSSECOrderNameAndAuth(domain_id, qname, "NS");
+          di.backend->nullifyDNSSECOrderNameAndAuth(domain_id, qname, "A");
+          di.backend->nullifyDNSSECOrderNameAndAuth(domain_id, qname, "AAAA");
+        }
+
+        if(auth && doent)
         {
-          if(!qnames.count(shorter) && !nonterm.count(shorter))
+          shorter=qname;
+          while(!pdns_iequals(shorter, domain) && chopOff(shorter))
           {
-            if(!(maxent))
+            if(!qnames.count(shorter) && !nonterm.count(shorter))
             {
-              L<<Logger::Error<<"AXFR zone "<<domain<<" has too many empty non terminals."<<endl;
-              nonterm.empty();
-              doent=false;
-              break;
+              if(!(maxent))
+              {
+                L<<Logger::Error<<"AXFR zone "<<domain<<" has too many empty non terminals."<<endl;
+                nonterm.empty();
+                doent=false;
+                break;
+              }
+              nonterm.insert(shorter);
+              --maxent;
             }
-            nonterm.insert(shorter);
-            --maxent;
           }
         }
       }

pdns/tcpreceiver.cc

@@ -616,11 +616,14 @@ int TCPNameserver::doAXFR(const string &target, shared_ptr<DNSPacket> q, int out
     }
   }
 
+  uint8_t flags;
+
   if(NSEC3Zone) { // now stuff in the NSEC3PARAM
+    flags = ns3pr.d_flags;
     rr.qtype = QType(QType::NSEC3PARAM);
     ns3pr.d_flags = 0;
     rr.content = ns3pr.getZoneRepresentation();
-    ns3pr.d_flags = 1;
+    ns3pr.d_flags = flags;
     string keyname = hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, rr.qname);
     NSECXEntry& ne = nsecxrepo[keyname];
 
@@ -657,7 +660,7 @@ int TCPNameserver::doAXFR(const string &target, shared_ptr<DNSPacket> q, int out
         keyname = NSEC3Zone ? hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, rr.qname) : labelReverse(rr.qname);
         NSECXEntry& ne = nsecxrepo[keyname];
         ne.d_ttl = sd.default_ttl;
-        ne.d_auth = (ne.d_auth || rr.auth);
+        ne.d_auth = (ne.d_auth || rr.auth || (NSEC3Zone && !ns3pr.d_flags));
         if (rr.qtype.getCode()) {
           ne.d_set.insert(rr.qtype.getCode());
         }

regression-tests/00dnssec-grabkeys/command

@@ -4,7 +4,10 @@ rm -f trustedkeys
 rm -f unbound-host.conf
 for zone in $(grep zone named.conf  | cut -f2 -d\")
 do
+    if [ "${zone: 0:16}" != "secure-delegated" ]
+    then
        drill -p $port -o rd -D dnskey $zone @$nameserver | grep -v '^;' | grep -v AwEAAarTiHhPgvD28WCN8UBXcEcf8f >> trustedkeys
+    fi
        echo "stub-zone:" >> unbound-host.conf
        echo "  name: $zone" >> unbound-host.conf
        echo "  stub-addr: $nameserver@$port" >> unbound-host.conf