Merge 26a82e5 into a6fde8d

pdns/recursordist/rec-zonetocache.cc

@@ -274,7 +274,7 @@ vState ZoneData::dnssecValidate(pdns::ZoneMD& zonemd, size_t& zonemdCount) const
   }
 
   skeyset_t validKeys;
-  vState dnsKeyState = validateDNSKeysAgainstDS(d_now, d_zone, dsmap, dnsKeys, records, zonemd.getRRSIGs(), validKeys, std::nullopt, validationContext);
+  vState dnsKeyState = validateDNSKeysAgainstDS(d_now, d_zone, dsmap, dnsKeys, records, zonemd.getRRSIGs(QType::DNSKEY), validKeys, std::nullopt, validationContext);
   if (dnsKeyState != vState::Secure) {
     return dnsKeyState;
   }
@@ -305,7 +305,7 @@ vState ZoneData::dnssecValidate(pdns::ZoneMD& zonemd, size_t& zonemdCount) const
       for (const auto& rec : zonemd.getNSEC3Params()) {
         records.emplace(rec);
       }
-      nsecValidationStatus = validateWithKeySet(d_now, d_zone, records, zonemd.getRRSIGs(), validKeys, std::nullopt, validationContext);
+      nsecValidationStatus = validateWithKeySet(d_now, d_zone, records, zonemd.getRRSIGs(QType::NSEC3PARAM), validKeys, std::nullopt, validationContext);
       if (nsecValidationStatus != vState::Secure) {
         d_log->info(Logr::Warning, "NSEC3PARAMS records did not validate");
         return nsecValidationStatus;
@@ -338,7 +338,7 @@ vState ZoneData::dnssecValidate(pdns::ZoneMD& zonemd, size_t& zonemdCount) const
   for (const auto& rec : zonemdRecords) {
     records.emplace(rec);
   }
-  return validateWithKeySet(d_now, d_zone, records, zonemd.getRRSIGs(), validKeys, std::nullopt, validationContext);
+  return validateWithKeySet(d_now, d_zone, records, zonemd.getRRSIGs(QType::ZONEMD), validKeys, std::nullopt, validationContext);
 }
 
 void ZoneData::ZoneToCache(const RecZoneToCache::Config& config)

pdns/zonemd.cc

@@ -77,7 +77,7 @@ void pdns::ZoneMD::processRecord(const DNSRecord& record)
       if (rrsig == nullptr) {
         throw PDNSException("Invalid RRSIG record");
       }
-      d_rrsigs.emplace_back(rrsig);
+      d_rrsigs[rrsig->d_type].emplace_back(rrsig);
       if (rrsig->d_type == QType::NSEC) {
         d_nsecs.signatures.emplace_back(rrsig);
       }

pdns/zonemd.hh

@@ -66,9 +66,12 @@ public:
   }
 
   // Return the zone's apex RRSIGs
-  [[nodiscard]] const std::vector<shared_ptr<const RRSIGRecordContent>>& getRRSIGs() const
+  [[nodiscard]] const std::vector<shared_ptr<const RRSIGRecordContent>>& getRRSIGs(QType requestedType)
   {
-    return d_rrsigs;
+    if (d_rrsigs.count(requestedType) == 0) {
+      d_rrsigs[requestedType] = {};
+    }
+    return d_rrsigs[requestedType];
   }
 
   // Return the zone's apex ZONEMDs
@@ -140,7 +143,7 @@ private:
 
   std::shared_ptr<const SOARecordContent> d_soaRecordContent;
   std::set<shared_ptr<const DNSKEYRecordContent>> d_dnskeys;
-  std::vector<shared_ptr<const RRSIGRecordContent>> d_rrsigs;
+  std::map<QType, std::vector<shared_ptr<const RRSIGRecordContent>>> d_rrsigs;
   std::vector<shared_ptr<const NSEC3PARAMRecordContent>> d_nsec3params;
   ContentSigPair d_nsecs;
   map<DNSName, ContentSigPair> d_nsec3s;

regression-tests.recursor-dnssec/test_ZTC.py

@@ -0,0 +1,31 @@
+import dns
+import time
+import os
+import subprocess
+
+from recursortests import RecursorTest
+
+class testZTC(RecursorTest):
+
+    _confdir = 'ZTC'
+    _config_template = """
+dnssec=validate
+"""
+    _lua_config_file = """
+zoneToCache(".", "axfr", "193.0.14.129") -- k-root
+"""
+
+    def testZTC(self):
+        grepCmd = ['grep', 'validationStatus="Secure"', 'configs/' + self._confdir + '/recursor.log']
+        ret = b''
+        for i in range(30):
+            time.sleep(1)
+            try:
+                ret = subprocess.check_output(grepCmd, stderr=subprocess.STDOUT)
+            except subprocess.CalledProcessError as e:
+                continue
+            print(b'A' + ret)
+            break
+        print(ret)
+        self.assertNotEqual(ret, b'')
+