Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

don't add superfluous nsec3 for old bind

  • Loading branch information...
commit b50efd613f5376ff2ea1bd08f63d423d88ee1420 1 parent b81ff68
@mind04 mind04 authored
View
5 debian/config/pdns.conf
@@ -1,10 +1,5 @@
# Autogenerated configuration file template
#################################
-# add-superfluous-nsec3-for-old-bind Add superfluous NSEC3 record to positive wildcard response
-#
-# add-superfluous-nsec3-for-old-bind=yes
-
-#################################
# allow-axfr-ips Allow zonetransfers only to these subnets
#
# allow-axfr-ips=0.0.0.0/0,::/0
View
2  pdns/common_startup.cc
@@ -156,7 +156,6 @@ void declareArguments()
::arg().setSwitch("traceback-handler","Enable the traceback handler (Linux only)")="yes";
::arg().setSwitch("direct-dnskey","Fetch DNSKEY RRs from backend during DNSKEY synthesis")="no";
- ::arg().setSwitch("add-superfluous-nsec3-for-old-bind","Add superfluous NSEC3 record to positive wildcard response")="yes";
::arg().set("default-ksk-algorithms","Default KSK algorithms")="rsasha256";
::arg().set("default-ksk-size","Default KSK size (0 means default)")="0";
::arg().set("default-zsk-algorithms","Default ZSK algorithms")="rsasha256";
@@ -356,7 +355,6 @@ void mainthread()
newuid=Utility::makeUidNumeric(::arg()["setuid"]);
g_anyToTcp = ::arg().mustDo("any-to-tcp");
- g_addSuperfluousNSEC3 = ::arg().mustDo("add-superfluous-nsec3-for-old-bind");
DNSPacket::s_udpTruncationThreshold = std::max(512, ::arg().asNum("udp-truncation-threshold"));
DNSPacket::s_doEDNSSubnetProcessing = ::arg().mustDo("edns-subnet-processing");
View
4 pdns/packethandler.cc
@@ -642,9 +642,7 @@ void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, c
closest=target;
// add matching NSEC3 RR
- // we used to skip this one for mode 3, but old BIND needs it
- // see https://github.com/PowerDNS/pdns/issues/814
- if (mode != 3 || g_addSuperfluousNSEC3) {
+ if (mode != 3) {
unhashed=(mode == 0 || mode == 1 || mode == 5) ? target : closest;
hashed=hashQNameWithSalt(ns3rc.d_iterations, ns3rc.d_salt, unhashed);
DLOG(L<<"1 hash: "<<toBase32Hex(hashed)<<" "<<unhashed<<endl);
View
5 pdns/pdns.conf-dist
@@ -1,10 +1,5 @@
# Autogenerated configuration file template
#################################
-# add-superfluous-nsec3-for-old-bind Add superfluous NSEC3 record to positive wildcard response
-#
-# add-superfluous-nsec3-for-old-bind=yes
-
-#################################
# allow-2136-from A global setting to allow RFC2136 from these IP ranges.
#
# allow-2136-from=0.0.0.0/0
View
2  regression-tests/tests/any-wildcard-dnssec/expected_result.narrow
@@ -1,7 +1,5 @@
0 www.something.wtest.com. IN A 3600 4.3.2.1
0 www.something.wtest.com. IN RRSIG 3600 A 8 3 3600 [expiry] [inception] [keytag] wtest.com. ...
-1 54njs65s8u96tkffrft6l7j1t1556vik.wtest.com. IN NSEC3 86400 1 [flags] 1 abcd 54NJS65S8U96TKFFRFT6L7J1T1556VIL TXT RRSIG
-1 54njs65s8u96tkffrft6l7j1t1556vik.wtest.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
1 7q60llva2bt9ucubvn553q9s2pf8ho38.wtest.com. IN NSEC3 86400 1 [flags] 1 abcd 7Q60LLVA2BT9UCUBVN553Q9S2PF8HO3A
1 7q60llva2bt9ucubvn553q9s2pf8ho38.wtest.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
2 . IN OPT 32768
View
2  regression-tests/tests/any-wildcard-dnssec/expected_result.nsec3
@@ -1,7 +1,5 @@
0 www.something.wtest.com. IN A 3600 4.3.2.1
0 www.something.wtest.com. IN RRSIG 3600 A 8 3 3600 [expiry] [inception] [keytag] wtest.com. ...
-1 54njs65s8u96tkffrft6l7j1t1556vik.wtest.com. IN NSEC3 86400 1 [flags] 1 abcd 67I2ESLUBOJ7DPG4263L3T8DV19G6D0G TXT RRSIG
-1 54njs65s8u96tkffrft6l7j1t1556vik.wtest.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
1 7k2dfhl64f0ndftst8u5rr5euminddvb.wtest.com. IN NSEC3 86400 1 [flags] 1 abcd 95QOQ246KN3VM7HL8KVG8O45JIHMNLNG A RRSIG
1 7k2dfhl64f0ndftst8u5rr5euminddvb.wtest.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
2 . IN OPT 32768
View
10 regression-tests/tests/cname-wildcard-chain/expected_result.narrow
@@ -12,20 +12,10 @@
0 x.y.z.w5.example.com. IN RRSIG 120 A 8 3 120 [expiry] [inception] [keytag] example.com. ...
1 6jmrie0v0hnp2flflt36lur7c08n9h45.example.com. IN NSEC3 86400 1 [flags] 1 abcd 6JMRIE0V0HNP2FLFLT36LUR7C08N9H47
1 6jmrie0v0hnp2flflt36lur7c08n9h45.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1 936eebq7jr1uc4bn1maa69a3aupeitfc.example.com. IN NSEC3 86400 1 [flags] 1 abcd 936EEBQ7JR1UC4BN1MAA69A3AUPEITFD
-1 936eebq7jr1uc4bn1maa69a3aupeitfc.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1 a376dj0hnucs849r3dp2evrvbg967oeu.example.com. IN NSEC3 86400 1 [flags] 1 abcd A376DJ0HNUCS849R3DP2EVRVBG967OEV
-1 a376dj0hnucs849r3dp2evrvbg967oeu.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1 akad2jtk186u143vhl92en81u06ljna5.example.com. IN NSEC3 86400 1 [flags] 1 abcd AKAD2JTK186U143VHL92EN81U06LJNA6
-1 akad2jtk186u143vhl92en81u06ljna5.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
1 atcf56s7ucntm82nht67p3g2nqteplou.example.com. IN NSEC3 86400 1 [flags] 1 abcd ATCF56S7UCNTM82NHT67P3G2NQTEPLP0
1 atcf56s7ucntm82nht67p3g2nqteplou.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1 b3mj2rag3tfrk0cbk5uvlm9hnt6k6tmj.example.com. IN NSEC3 86400 1 [flags] 1 abcd B3MJ2RAG3TFRK0CBK5UVLM9HNT6K6TMK
-1 b3mj2rag3tfrk0cbk5uvlm9hnt6k6tmj.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
1 b6drqdikagd74fa5eme4sdiek1s06343.example.com. IN NSEC3 86400 1 [flags] 1 abcd B6DRQDIKAGD74FA5EME4SDIEK1S06345
1 b6drqdikagd74fa5eme4sdiek1s06343.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1 bi61d8htvrnfktnig400n722d2v3lq1i.example.com. IN NSEC3 86400 1 [flags] 1 abcd BI61D8HTVRNFKTNIG400N722D2V3LQ1J
-1 bi61d8htvrnfktnig400n722d2v3lq1i.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
1 lr0g3vnj9r0nvtlsjnf8eqa68sqj06qg.example.com. IN NSEC3 86400 1 [flags] 1 abcd LR0G3VNJ9R0NVTLSJNF8EQA68SQJ06QI
1 lr0g3vnj9r0nvtlsjnf8eqa68sqj06qg.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
1 vsfa79vv78gd61567bkcai646ta0p276.example.com. IN NSEC3 86400 1 [flags] 1 abcd VSFA79VV78GD61567BKCAI646TA0P278
View
10 regression-tests/tests/cname-wildcard-chain/expected_result.nsec3
@@ -12,20 +12,10 @@
0 x.y.z.w5.example.com. IN RRSIG 120 A 8 3 120 [expiry] [inception] [keytag] example.com. ...
1 6jljjg5vg8ab1latv5khfq52jjpdlp9t.example.com. IN NSEC3 86400 1 [flags] 1 abcd 6JNMPRJN08RFG8QRUMBN91V2UURTV527 A RRSIG
1 6jljjg5vg8ab1latv5khfq52jjpdlp9t.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1 936eebq7jr1uc4bn1maa69a3aupeitfc.example.com. IN NSEC3 86400 1 [flags] 1 abcd 938CRGVGJ6PEHDHT49EJCEIIRMH75IJ8
-1 936eebq7jr1uc4bn1maa69a3aupeitfc.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1 a376dj0hnucs849r3dp2evrvbg967oeu.example.com. IN NSEC3 86400 1 [flags] 1 abcd A37U32P0GF09BE4EHU7VTEESS1GU45UB
-1 a376dj0hnucs849r3dp2evrvbg967oeu.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1 akad2jtk186u143vhl92en81u06ljna5.example.com. IN NSEC3 86400 1 [flags] 1 abcd AKATF5BN9NMCT00E5PLMMOJM196CHN71
-1 akad2jtk186u143vhl92en81u06ljna5.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
1 atbcoh7l1gr1cbifhkt3ikmv2o60g8sc.example.com. IN NSEC3 86400 1 [flags] 1 abcd ATEJUO2QMEO1FORSEB6KH9B0DMVFRK08 A RRSIG
1 atbcoh7l1gr1cbifhkt3ikmv2o60g8sc.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1 b3mj2rag3tfrk0cbk5uvlm9hnt6k6tmj.example.com. IN NSEC3 86400 1 [flags] 1 abcd B3ONOQ30J349UAJOB6H2FM1FIT3TOJKR
-1 b3mj2rag3tfrk0cbk5uvlm9hnt6k6tmj.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
1 b6cdleeregn514pnp2jgmtd67ig3q4qs.example.com. IN NSEC3 86400 1 [flags] 1 abcd B6J68ESSIMG1HC5MGJ3B3OQUKL9PKEQB A RRSIG
1 b6cdleeregn514pnp2jgmtd67ig3q4qs.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1 bi61d8htvrnfktnig400n722d2v3lq1i.example.com. IN NSEC3 86400 1 [flags] 1 abcd BI7NGLVDS01SK3172JRF6UPDINT4OEDL
-1 bi61d8htvrnfktnig400n722d2v3lq1i.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
1 lqu3s8oae1ipc1iobnslma8igo1335a4.example.com. IN NSEC3 86400 1 [flags] 1 abcd LR1LEP75CII4P0CLER3MLLQBO1TGKHDO A RRSIG
1 lqu3s8oae1ipc1iobnslma8igo1335a4.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
1 vscvfu442fdlbq07jpd7bdocd3ig7fo8.example.com. IN NSEC3 86400 1 [flags] 1 abcd VSGNH606MUV7BFQFN3TRH1D5FKP1IPIV A RRSIG
View
2  regression-tests/tests/ent-wildcard-below-ent/expected_result.narrow
@@ -2,8 +2,6 @@
0 something.a.b.c.test.com. IN RRSIG 3600 A 8 5 3600 [expiry] [inception] [keytag] test.com. ...
1 qjeirdhb04ir4vbs5pbbhbue69dlq9nr.test.com. IN NSEC3 86400 1 [flags] 1 abcd QJEIRDHB04IR4VBS5PBBHBUE69DLQ9NT
1 qjeirdhb04ir4vbs5pbbhbue69dlq9nr.test.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
-1 vlvujatanof6feajoesti9kq4s0crst3.test.com. IN NSEC3 86400 1 [flags] 1 abcd VLVUJATANOF6FEAJOESTI9KQ4S0CRST4
-1 vlvujatanof6feajoesti9kq4s0crst3.test.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
2 . IN OPT 32768
Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
Reply to question for qname='something.a.b.c.test.com.', qtype=A
View
2  regression-tests/tests/ent-wildcard-below-ent/expected_result.nsec3
@@ -2,8 +2,6 @@
0 something.a.b.c.test.com. IN RRSIG 3600 A 8 5 3600 [expiry] [inception] [keytag] test.com. ...
1 qd81ag9inqts1ocs7api0pji94k27btr.test.com. IN NSEC3 86400 1 [flags] 1 abcd S6G5SHC1JVOVL5FL9E943ADLONQLN7G4 CNAME RRSIG
1 qd81ag9inqts1ocs7api0pji94k27btr.test.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
-1 vlvujatanof6feajoesti9kq4s0crst3.test.com. IN NSEC3 86400 1 [flags] 1 abcd 0BH8DI769I8VVTKDDS8EFJDA19ABIGO5
-1 vlvujatanof6feajoesti9kq4s0crst3.test.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
2 . IN OPT 32768
Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
Reply to question for qname='something.a.b.c.test.com.', qtype=A
View
2  regression-tests/tests/five-levels-wildcard-one-below-apex/expected_result.narrow
@@ -1,7 +1,5 @@
0 www.a.b.c.d.e.something.wtest.com. IN A 3600 4.3.2.1
0 www.a.b.c.d.e.something.wtest.com. IN RRSIG 3600 A 8 3 3600 [expiry] [inception] [keytag] wtest.com. ...
-1 54njs65s8u96tkffrft6l7j1t1556vik.wtest.com. IN NSEC3 86400 1 [flags] 1 abcd 54NJS65S8U96TKFFRFT6L7J1T1556VIL TXT RRSIG
-1 54njs65s8u96tkffrft6l7j1t1556vik.wtest.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
1 pqgjjrj5si55uc1208gt1hp1k217fhqu.wtest.com. IN NSEC3 86400 1 [flags] 1 abcd PQGJJRJ5SI55UC1208GT1HP1K217FHR0
1 pqgjjrj5si55uc1208gt1hp1k217fhqu.wtest.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
2 . IN OPT 32768
View
2  regression-tests/tests/five-levels-wildcard-one-below-apex/expected_result.nsec3
@@ -1,7 +1,5 @@
0 www.a.b.c.d.e.something.wtest.com. IN A 3600 4.3.2.1
0 www.a.b.c.d.e.something.wtest.com. IN RRSIG 3600 A 8 3 3600 [expiry] [inception] [keytag] wtest.com. ...
-1 54njs65s8u96tkffrft6l7j1t1556vik.wtest.com. IN NSEC3 86400 1 [flags] 1 abcd 67I2ESLUBOJ7DPG4263L3T8DV19G6D0G TXT RRSIG
-1 54njs65s8u96tkffrft6l7j1t1556vik.wtest.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
1 pd15qdsjjbfosu5fg2oqrnlb8r8oifl6.wtest.com. IN NSEC3 86400 1 [flags] 1 abcd SHEGK154N8362AG22AR9VDDRF3127M6I A RRSIG
1 pd15qdsjjbfosu5fg2oqrnlb8r8oifl6.wtest.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
2 . IN OPT 32768
View
2  regression-tests/tests/five-levels-wildcard/expected_result.narrow
@@ -1,7 +1,5 @@
0 www.a.b.c.d.e.wtest.com. IN A 3600 6.7.8.9
0 www.a.b.c.d.e.wtest.com. IN RRSIG 3600 A 8 7 3600 [expiry] [inception] [keytag] wtest.com. ...
-1 bagsltiumgoavhe3ig8960l8j2il0mh8.wtest.com. IN NSEC3 86400 1 [flags] 1 abcd BAGSLTIUMGOAVHE3IG8960L8J2IL0MH9 TXT RRSIG
-1 bagsltiumgoavhe3ig8960l8j2il0mh8.wtest.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
1 pet5iqbgccga60p2n38nmuanrk50papg.wtest.com. IN NSEC3 86400 1 [flags] 1 abcd PET5IQBGCCGA60P2N38NMUANRK50PAPI
1 pet5iqbgccga60p2n38nmuanrk50papg.wtest.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
2 . IN OPT 32768
View
2  regression-tests/tests/five-levels-wildcard/expected_result.nsec3
@@ -1,7 +1,5 @@
0 www.a.b.c.d.e.wtest.com. IN A 3600 6.7.8.9
0 www.a.b.c.d.e.wtest.com. IN RRSIG 3600 A 8 7 3600 [expiry] [inception] [keytag] wtest.com. ...
-1 bagsltiumgoavhe3ig8960l8j2il0mh8.wtest.com. IN NSEC3 86400 1 [flags] 1 abcd CV382M4JQHLE9U45MDQFH64VP0JBFPN5 TXT RRSIG
-1 bagsltiumgoavhe3ig8960l8j2il0mh8.wtest.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
1 pd15qdsjjbfosu5fg2oqrnlb8r8oifl6.wtest.com. IN NSEC3 86400 1 [flags] 1 abcd SHEGK154N8362AG22AR9VDDRF3127M6I A RRSIG
1 pd15qdsjjbfosu5fg2oqrnlb8r8oifl6.wtest.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
2 . IN OPT 32768
View
2  regression-tests/tests/nsecx-mode3-wildcard/expected_result.narrow
@@ -1,7 +1,5 @@
0 second.first.something.wtest.com. IN A 3600 4.3.2.1
0 second.first.something.wtest.com. IN RRSIG 3600 A 8 3 3600 [expiry] [inception] [keytag] wtest.com. ...
-1 54njs65s8u96tkffrft6l7j1t1556vik.wtest.com. IN NSEC3 86400 1 [flags] 1 abcd 54NJS65S8U96TKFFRFT6L7J1T1556VIL TXT RRSIG
-1 54njs65s8u96tkffrft6l7j1t1556vik.wtest.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
1 d0rjlf3tful8jfjk86vi5ce50nuea9a6.wtest.com. IN NSEC3 86400 1 [flags] 1 abcd D0RJLF3TFUL8JFJK86VI5CE50NUEA9A8
1 d0rjlf3tful8jfjk86vi5ce50nuea9a6.wtest.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
2 . IN OPT 32768
View
2  regression-tests/tests/nsecx-mode3-wildcard/expected_result.nsec3
@@ -1,7 +1,5 @@
0 second.first.something.wtest.com. IN A 3600 4.3.2.1
0 second.first.something.wtest.com. IN RRSIG 3600 A 8 3 3600 [expiry] [inception] [keytag] wtest.com. ...
-1 54njs65s8u96tkffrft6l7j1t1556vik.wtest.com. IN NSEC3 86400 1 [flags] 1 abcd 67I2ESLUBOJ7DPG4263L3T8DV19G6D0G TXT RRSIG
-1 54njs65s8u96tkffrft6l7j1t1556vik.wtest.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
1 cv382m4jqhle9u45mdqfh64vp0jbfpn5.wtest.com. IN NSEC3 86400 1 [flags] 1 abcd J02K7MH36PLGFKRS6UTOCESCCQ5P7EOB A RRSIG
1 cv382m4jqhle9u45mdqfh64vp0jbfpn5.wtest.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
2 . IN OPT 32768
Please sign in to comment.
Something went wrong with that request. Please try again.