Permalink
Browse files

fix NSEC3s for DS no data (mode 1)

  • Loading branch information...
1 parent f75293f commit 3191709d18ba4bd049804365df103996881e5564 @mind04 mind04 committed with mind04 Nov 21, 2013
View
@@ -550,7 +550,7 @@ static void decrementHash(std::string& raw) // I wonder if this is correct, cmou
}
-bool getNSEC3Hashes(bool narrow, DNSBackend* db, int id, const std::string& hashed, bool decrement, string& unhashed, string& before, string& after)
+bool getNSEC3Hashes(bool narrow, DNSBackend* db, int id, const std::string& hashed, bool decrement, string& unhashed, string& before, string& after, int mode)
{
bool ret;
if(narrow) { // nsec3-narrow
@@ -564,7 +564,7 @@ bool getNSEC3Hashes(bool narrow, DNSBackend* db, int id, const std::string& hash
incrementHash(after);
}
else {
- if (decrement)
+ if (decrement || mode ==1)
before.clear();
else
before=' ';
@@ -586,8 +586,8 @@ void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, c
// cerr<<"Could not get SOA for domain in NSEC3\n";
return;
}
- // cerr<<"salt in ph: '"<<makeHexDump(ns3rc.d_salt)<<"', narrow="<<narrow<<endl;
-
+
+ bool doNextcloser = false;
string unhashed, hashed, before, after;
string closest;
@@ -596,34 +596,42 @@ void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, c
chopOff(closest);
} else
closest=target;
-
- if (mode == 1) {
- DNSResourceRecord rr;
- while( chopOff( closest ) && (closest != sd.qname)) { // stop at SOA
- B.lookup(QType(QType::ANY), closest, p, sd.domain_id);
- if (B.get(rr)) {
- while(B.get(rr));
- break;
- }
- }
- }
-
+
// add matching NSEC3 RR
// we used to skip this one for mode 3, but old BIND needs it
// see https://github.com/PowerDNS/pdns/issues/814
if (mode != 3 || g_addSuperfluousNSEC3) {
- unhashed=(mode == 0 || mode == 5) ? target : closest;
-
+ unhashed=(mode == 0 || mode == 1 || mode == 5) ? target : closest;
hashed=hashQNameWithSalt(ns3rc.d_iterations, ns3rc.d_salt, unhashed);
DLOG(L<<"1 hash: "<<toBase32Hex(hashed)<<" "<<unhashed<<endl);
-
- getNSEC3Hashes(narrow, sd.db, sd.domain_id, hashed, false, unhashed, before, after);
+
+ getNSEC3Hashes(narrow, sd.db, sd.domain_id, hashed, false, unhashed, before, after, mode);
+
+ if (mode == 1 && (hashed != before)) {
+ DLOG(L<<"No matching NSEC3 for DS, do closest (provable) encloser"<<endl);
+
+ DNSResourceRecord rr;
+ while( chopOff( closest ) && (closest != sd.qname)) { // stop at SOA
+ B.lookup(QType(QType::ANY), closest, p, sd.domain_id);
+ if (B.get(rr)) {
+ while(B.get(rr));
+ break;
+ }
+ }
+ doNextcloser = true;
+ unhashed=closest;
+ hashed=hashQNameWithSalt(ns3rc.d_iterations, ns3rc.d_salt, unhashed);
+ DLOG(L<<"1 hash: "<<toBase32Hex(hashed)<<" "<<unhashed<<endl);
+
+ getNSEC3Hashes(narrow, sd.db, sd.domain_id, hashed, false, unhashed, before, after);
+ }
+
DLOG(L<<"Done calling for matching, hashed: '"<<toBase32Hex(hashed)<<"' before='"<<toBase32Hex(before)<<"', after='"<<toBase32Hex(after)<<"'"<<endl);
emitNSEC3(ns3rc, sd, unhashed, before, after, target, r, mode);
}
// add covering NSEC3 RR
- if (mode != 0 && mode != 5) {
+ if ((mode >= 2 && mode <= 4) || doNextcloser) {
string next(target);
do {
unhashed=next;
@@ -128,5 +128,5 @@ private:
DNSSECKeeper d_dk; // same, might even share B?
};
void emitNSEC3(DNSBackend& B, const NSEC3PARAMRecordContent& ns3prc, const SOAData& sd, const std::string& unhashed, const std::string& begin, const std::string& end, const std::string& toNSEC3, DNSPacket *r, int mode);
-bool getNSEC3Hashes(bool narrow, DNSBackend* db, int id, const std::string& hashed, bool decrement, string& unhashed, string& before, string& after);
+bool getNSEC3Hashes(bool narrow, DNSBackend* db, int id, const std::string& hashed, bool decrement, string& unhashed, string& before, string& after, int mode=0);
#endif /* PACKETHANDLER */
@@ -1,9 +1,7 @@
1 example.com. IN RRSIG 86400 SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
1 example.com. IN SOA 86400 ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
-1 t67rqvqprigd7rtb5fah6c3o7g9th3iv.example.com. IN NSEC3 86400 1 1 1 abcd T67RQVQPRIGD7RTB5FAH6C3O7G9TH3J1
-1 t67rqvqprigd7rtb5fah6c3o7g9th3iv.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1 vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com. IN NSEC3 86400 1 1 1 abcd VTNQ6OCN2VKUIV3NJU14OQTAEN2MT5SL NS SOA MX RRSIG DNSKEY NSEC3PARAM
-1 vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1 t67rqvqprigd7rtb5fah6c3o7g9th3j0.example.com. IN NSEC3 86400 1 1 1 abcd T67RQVQPRIGD7RTB5FAH6C3O7G9TH3J1 NS
+1 t67rqvqprigd7rtb5fah6c3o7g9th3j0.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
2 . IN OPT 32768
Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
Reply to question for qname='usa.example.com.', qtype=DS
@@ -2,8 +2,6 @@
1 example.com. IN SOA 86400 ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
1 t67rqvqprigd7rtb5fah6c3o7g9th3j0.example.com. IN NSEC3 86400 1 0 1 abcd T6A44A7N1B90T5RIS4IBQKT51MMDL0LO NS
1 t67rqvqprigd7rtb5fah6c3o7g9th3j0.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1 vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com. IN NSEC3 86400 1 0 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
-1 vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
2 . IN OPT 32768
Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
Reply to question for qname='usa.example.com.', qtype=DS
@@ -1,9 +1,7 @@
-1 be6iqh4fjrtdhacqk7g3iq96qcvf2qoi.dnssec-parent.com. IN NSEC3 86400 1 1 1 abcd BE6IQH4FJRTDHACQK7G3IQ96QCVF2QOK
-1 be6iqh4fjrtdhacqk7g3iq96qcvf2qoi.dnssec-parent.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
+1 be6iqh4fjrtdhacqk7g3iq96qcvf2qoj.dnssec-parent.com. IN NSEC3 86400 1 1 1 abcd BE6IQH4FJRTDHACQK7G3IQ96QCVF2QOK NS
+1 be6iqh4fjrtdhacqk7g3iq96qcvf2qoj.dnssec-parent.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
1 dnssec-parent.com. IN RRSIG 3600 SOA 8 2 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
1 dnssec-parent.com. IN SOA 3600 ns1.dnssec-parent.com. ahu.example.com. 2005092501 28800 7200 604800 86400
-1 dvkuo8kja65gcsq600e6di9u719lsj8u.dnssec-parent.com. IN NSEC3 86400 1 1 1 abcd DVKUO8KJA65GCSQ600E6DI9U719LSJ8V A NS SOA RRSIG DNSKEY NSEC3PARAM
-1 dvkuo8kja65gcsq600e6di9u719lsj8u.dnssec-parent.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
2 . IN OPT 32768
Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
Reply to question for qname='delegated.dnssec-parent.com.', qtype=DS
@@ -2,8 +2,6 @@
1 be6iqh4fjrtdhacqk7g3iq96qcvf2qoj.dnssec-parent.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
1 dnssec-parent.com. IN RRSIG 3600 SOA 8 2 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
1 dnssec-parent.com. IN SOA 3600 ns1.dnssec-parent.com. ahu.example.com. 2005092501 28800 7200 604800 86400
-1 dvkuo8kja65gcsq600e6di9u719lsj8u.dnssec-parent.com. IN NSEC3 86400 1 0 1 abcd 1SCAQA30LQ0DO5EIRNE4KPJFBEBFGR54 A NS SOA RRSIG DNSKEY NSEC3PARAM
-1 dvkuo8kja65gcsq600e6di9u719lsj8u.dnssec-parent.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
2 . IN OPT 32768
Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
Reply to question for qname='delegated.dnssec-parent.com.', qtype=DS
@@ -1,9 +1,7 @@
-1 t67rqvqprigd7rtb5fah6c3o7g9th3iv.example.com. IN NSEC3 86400 1 1 1 abcd T67RQVQPRIGD7RTB5FAH6C3O7G9TH3J1
-1 t67rqvqprigd7rtb5fah6c3o7g9th3iv.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1 t67rqvqprigd7rtb5fah6c3o7g9th3j0.example.com. IN NSEC3 86400 1 1 1 abcd T67RQVQPRIGD7RTB5FAH6C3O7G9TH3J1 NS
+1 t67rqvqprigd7rtb5fah6c3o7g9th3j0.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
1 usa.example.com. IN NS 120 usa-ns1.usa.example.com.
1 usa.example.com. IN NS 120 usa-ns2.usa.example.com.
-1 vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com. IN NSEC3 86400 1 1 1 abcd VTNQ6OCN2VKUIV3NJU14OQTAEN2MT5SL NS SOA MX RRSIG DNSKEY NSEC3PARAM
-1 vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
2 . IN OPT 32768
2 usa-ns1.usa.example.com. IN A 120 192.168.4.1
2 usa-ns2.usa.example.com. IN A 120 192.168.4.2
@@ -2,8 +2,6 @@
1 t67rqvqprigd7rtb5fah6c3o7g9th3j0.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
1 usa.example.com. IN NS 120 usa-ns1.usa.example.com.
1 usa.example.com. IN NS 120 usa-ns2.usa.example.com.
-1 vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com. IN NSEC3 86400 1 0 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
-1 vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
2 . IN OPT 32768
2 usa-ns1.usa.example.com. IN A 120 192.168.4.1
2 usa-ns2.usa.example.com. IN A 120 192.168.4.2
@@ -1,8 +1,6 @@
-1 2eu2gulbu53h9uvhfalshpbo2a83t6l2.test.com. IN NSEC3 86400 1 1 1 abcd 2EU2GULBU53H9UVHFALSHPBO2A83T6L3 NS SOA MX RRSIG DNSKEY NSEC3PARAM
-1 2eu2gulbu53h9uvhfalshpbo2a83t6l2.test.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
1 blah.test.com. IN NS 3600 blah.test.com.
-1 s96h2qicbt8d9i5aa43kp8sjjresq4ka.test.com. IN NSEC3 86400 1 1 1 abcd S96H2QICBT8D9I5AA43KP8SJJRESQ4KC
-1 s96h2qicbt8d9i5aa43kp8sjjresq4ka.test.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
+1 s96h2qicbt8d9i5aa43kp8sjjresq4kb.test.com. IN NSEC3 86400 1 1 1 abcd S96H2QICBT8D9I5AA43KP8SJJRESQ4KC NS
+1 s96h2qicbt8d9i5aa43kp8sjjresq4kb.test.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
2 . IN OPT 32768
2 blah.test.com. IN A 3600 192.168.6.1
Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 0, opcode: 0
@@ -1,5 +1,3 @@
-1 2eu2gulbu53h9uvhfalshpbo2a83t6l2.test.com. IN NSEC3 86400 1 0 1 abcd 2GKS2N3JPQF62QOHAVFQ1PHOLM3HR7RA NS SOA MX RRSIG DNSKEY NSEC3PARAM
-1 2eu2gulbu53h9uvhfalshpbo2a83t6l2.test.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
1 blah.test.com. IN NS 3600 blah.test.com.
1 s96h2qicbt8d9i5aa43kp8sjjresq4kb.test.com. IN NSEC3 86400 1 0 1 abcd SA5VVPQN1COEJGJ3HBKFEKDNII8KKSQA NS
1 s96h2qicbt8d9i5aa43kp8sjjresq4kb.test.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...

0 comments on commit 3191709

Please sign in to comment.